This may have been answered, but I'm behind on the list traffic and I'm not going to read everything. Proper ISP equipment should prevent BUM traffic from traveling from CPE to CPE. Any broadcast should only go up to your gateway. On your gateway you'll enable DHCP Relay pointing at your DHCP server, and you'll enable proxy ARP. Without proxy ARP the customers on the same subnet won't be able to talk to each other, which isn't an issue until it's an issue, but eventually it'll come up if you don't handle that case with proxy ARP.
On any PON product I've seen this is the default mode of operation (though obviously I haven't seen them all). On Cambium PMP or ePMP you had to enable broadcast/multicast filters and/or SM Isolation, but you could absolutely solve that issue with a simple config change. On most ethernet switches you'd use port isolation....which might go by different names on different products, but it should be there. I don't know what Ubiquiti wireless has for this, but I know their UFiber ONU are isolated from each other. The isolation prevents the security issue you mentioned and also mitigates the risk of rogue DHCP, broadcast storms, and other nonsense. It should be the *default* config on products made for ISP's, but even if it's not the default it should be an option. If it's not an option then don't use that product (or don't stop using PPPoE with that product). -Adam On Tue, Nov 5, 2024 at 4:39 PM Mark - Myakka Technologies via AF < af@af.afmug.com> wrote: > We have always used PPPoE in the past. Just happen to be what our first > system 23 years ago was based on and we just stuck with it. We are setting > up a new area with all new equipment. Looking at setting it up as DHCP. > Looks like I can do some DHCP radius stuff and our new equipment will > inject data via option 82 if I want. > > The issue I can't wrap my head around is security. If I just setup a > normal DHCP server, all clients will be on the same LAN. That would not be > good. > > I'm looking at option 121 and /32 addresses. But, I don't think all > residential routers support 121. > > VLANs are another option, but I don think they will scale well. > > I feel like I'm missing some type of simple answer. > > > -- > > Thanks, > Mark mailto:m...@mailmt.com > > Myakka Communications > www.Myakka.com > > Serving Manatee and Sarasota Counties with High-Speed Internet for over 20 > years > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
