I got a working setup with BGP, MPLS and EVPN where CPE's connect to the EVPN instance trying to obtain an IP address with PPPoE and where one or multiple pppoe access concentrators respond.
The biggest issue I have with this setup is that every device connected to an EVPN instance gets to learn all MAC addresses in that EVPN instance.
Is there a way where only a handful of devices (interfaces in the EVPN instance) are allowed to see all MAC addresses? So to limit the broadcast of MAC addresses to a few interfaces?
These devices are the pppoe access concentrators, the only devices allowed to respond.
I don't want a customer edge (CE) device to be able to see MAC addresses of other customers.
CPE / CE (x1000) (untrusted) --- MX edge ---- (trusted) MX pppoe access concentrator
Can you please elaborate if you dont want the Access Concentrator (CE device) to know the MAC address of your customer ?
You dont want various Customers to know the MAC address of each other ?
(I dont think this will ever happen)
I fixed the issue myself, hereunder you can read how I did it.
All customers and the Access Concentrators are part of the same EVPN instance.
When a random customer wishes to obtain an IP address with PPPoE, a PADI packet is sent towards the EVPN instance.
Then all devices, including other customers connected to the EVPN instance, get to learn the MAC address from that customer (since it is a broadcast packet).
A family bridge output filter towards the customer fixes this issue. The filter discards all PADI broadcast packets towards CPE's while allowing all other discovery and session packets (communication between AC and CPE).
The input filter accepts all discovery and session ether-type packets.