Table of Contents
Advertisement
JUNOSe 11.1.x Broadband Access Configuration Guide
IP-based Ethernet interfaces, and is very useful in subscriber management
applications.
When MAC address validation is enabled on an interface, the router checks the entry
in the MAC validation table that corresponds to the IP source address of an incoming
packet. The MAC source address of the packet must match the MAC source address
of the table entry for the router to forward the packet.
How MAC Address Validation State Inheritance Works
To enable MAC address validation for the static primary IP interface, you must use
the existing ip mac-validate command with either the strict keyword or the loose
keyword. The strict keyword prevents transmission of IP packets that do not reside
in the MAC validation table. The loose keyword, which is the default setting, enables
IP packets to pass through even when the packets do not have entries in the MAC
validation table; only packets that have matching IP-MAC pair entries in the table
are validated.
When a dynamic IP subscriber interface is created with the MAC address validation
state inherited from the static primary IP interface, an entry for the MAC source
address is installed in the MAC validation table when MAC address validation is
enabled (either loose or strict) on the static primary IP interface. For each packet
received on this interface, the router compares the packet's MAC source address to
the value in the MAC validation table. If these values match, the router forwards the
packet; otherwise, the packet is discarded.
In addition, creation of the dynamic IP subscriber interface adds a static MAC address
validation entry in the router's Address Resolution Protocol (ARP) table. This occurs
regardless of whether you configure MAC address validation on the static primary
IP interface with the ip mac-validate strict command or the ip mac-validate loose
command.
Configuration of MAC Address Validation State Inheritance
No special configuration is required to enable inheritance of the MAC address
validation state on dynamic IP subscriber interfaces; this occurs automatically provided
that MAC address validation is properly enabled on the parent static primary IP
interface with the ip mac-validate command. If MAC address validation is disabled
on the static primary IP interface, the dynamic subscriber interface inherits the
disabled state for MAC address validation.
Keep the following guidelines in mind for using dynamic IP subscriber interfaces
that inherit the MAC address validation state from their parent static primary IP
interface:
614
Dynamic Creation of Subscriber Interfaces
A dynamic subscriber interface inherits the MAC address validation state of its
static primary IP interface only when the dynamic subscriber interface is created.
You cannot change the MAC address validation state inherited by a dynamic
subscriber interface from its static primary IP interface.
Changing the MAC address validation state of a static primary IP interface does
not affect the MAC address validation state of dynamic subscriber interfaces
already created from this primary IP interface. Any dynamic subscriber interfaces
Advertisement
Table of Contents
Troubleshooting
