Alcatel-Lucent 7750 SR OS Service Manual page 326

VPLS Service Overview
The 7750 SR-Series enables MAC learning protection capability for SAPs and SDPs. With this
mechanism, forwarding and learning rules apply to the non-protected SAPs. Assume hosts H1, H2
and H3
arrives at a protected SAP/SDP the MAC is learned as usual. When a frame arrives from a non-
protected SAP or SDP the frame must be dropped if the source MAC address is protected and the
MAC address is not relearned. The system allows only packets with a protected MAC destination
address.
The system may be configured the following ways:
•
•
•
In order to eliminate the ability of a subscriber to cause a DOS attack, the node restricts the
learning of protected MAC addresses based on a statically defined list. In addition the destination
MAC address is checked against the protected MAC list to verify that a packet entering a restricted
SAP has a protected MAC as a destination.
Page 326
Figure 1: MAC Learning Protection
(Figure 33) are non-protected while IES interfaces G and H are protected. When a frame
Static — The addresses of all protected MACs are configured. Only the IP address can be
included and use a dynamic mechanism to resolve the MAC address (cpe-ping). All
protected MACs in all VPLS instances in the network must be configured.
Dynamic — The edge SAPs to protect all MAC addresses learned through them are
configured. Every MAC address learned on a protection enabled SAP will be protected.
The origin VPLS instance will signal the protection of the MAC to other instances in the
VPN. The protection of the MAC address must be learned in context of the announcing
VPN member and the MAC must be protected at that SDP. The MAC address can be
relearned on a different SDP with this mechanism.
Both — Static and dynamic.
7750 SR OS Services Guide