Configuring Ip And Mac Address Validation; Ip And Mac Address Validation In Acx Series - Juniper ACX1000 Configuration Manual

CHAPTER 30
Configuring IP and MAC Address
Validation

IP and MAC Address Validation in ACX Series

Copyright © 2017, Juniper Networks, Inc.
IP and MAC Address Validation in ACX Series on page 995
Configuring IP and MAC Address Validation for Static Interfaces on page 997
IP and MAC address validation enables the ACX Series router to validate that received
packets contain a trusted IP source and an Ethernet MAC source address.
Configuring IP and MAC address validation can provide additional validation when
subscribers access billable services. MAC address validation provides additional security
by enabling the router to drop packets that do not match, such as packets with spoofed
addresses.
When subscribers log in, they are automatically assigned IP addresses by DHCP. With IP
and MAC address validation enabled, the router compares the IP source and MAC source
addresses against trusted addresses, and forwards or drops the packets according to
the match and the validation mode.
IP and MAC address validation on ACX Series routers support Fast Ethernet, Gigabit
Ethernet, and 10-Gigabit Ethernet interfaces (with or without VLAN tagging).
NOTE: In ACX Series routers, IP and MAC address validation is implemented
using ternary content addressable memory (TCAM) space. The allocated
TCAM space for MAC address validation is shared by the logical interface-level
fixed classifier feature. From a scaling perspective, the allocated 192 hardware
TCAM entries are shared by these features and the allocation of TCAM entries
work on a first-come-first-serve mode. On the same logical interface, if these
features are enabled, then IP source and MAC source validation feature takes
higher precedence than the logical interface level fixed classifier. These
features work independently on different logical interfaces without any
limitation.
995