Designating Traffic For The Primary Ip Interface; Using Framed Routes; Interfaces; How Mac Address Validation State Inheritance Works - Juniper JUNOSE SOFTWARE 11.2.X - BROADBAND ACCESS CONFIGURATION GUIDE 7-20-2010 Configuration Manual
Software for e series broadband services routers broadband access configuration guide
Table of Contents
Advertisement
Designating Traffic for the Primary IP Interface
Using Framed Routes
Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces
Copyright © 2010, Juniper Networks, Inc.
When dynamic creation of subscriber interfaces is enabled on the primary IP interface
(by means of the ip auto-configure ip-subscriber command), you can use the ip
source-prefix command to specify the source address of traffic that is destined for the
primary IP interface instead of the subscriber interface. If the DHCP server (for DHCP
server configurations) or the router (for packet detection configurations) then assigns a
subscriber an IP address matching this source prefix, the router does not create a dynamic
subscriber interface for that address.
You can use the ip use-framed-routes ip-subscriber command to enable a primary IP
interface to use framed routes as source IP addresses when creating dynamic subscriber
interfaces. The framed routes are applied to the dynamic subscriber interface during
configuration so traffic from the subsets can traverse the interface. By applying framed
routes in this fashion, you can extend the per-subscriber interface management to any
subnetworks behind the dynamic subscriber interface. RADIUS includes the Framed-Route
attribute [22] in Access-Accept messages to specify the route in the following format:
Framed-Route = ipAddress/mask nextHop
A dynamic IP subscriber interface inherits the MAC address validation state (enabled or
disabled) configured for its parent static primary IP interface.
MAC address validation binds a MAC source address for an interface to a given IP source
address. When the IP-MAC binding is established, the router forwards ingress packets
on the interface when the packet's MAC source address and IP source address match,
and drops ingress packets when the packet's MAC source address and IP source address
do not match. MAC address validation thereby prevents spoofing on IP-based Ethernet
interfaces, and is very useful in subscriber management applications.
When MAC address validation is enabled on an interface, the router checks the entry in
the MAC validation table that corresponds to the IP source address of an incoming packet.
The MAC source address of the packet must match the MAC source address of the table
entry for the router to forward the packet.
How MAC Address Validation State Inheritance Works
To enable MAC address validation for the static primary IP interface, you must use the
existing ip mac-validate command with either the strict keyword or the loose keyword.
The strict keyword prevents transmission of IP packets that do not reside in the MAC
validation table. The loose keyword, which is the default setting, enables IP packets to
pass through even when the packets do not have entries in the MAC validation table;
only packets that have matching IP-MAC pair entries in the table are validated.
When a dynamic IP subscriber interface is created with the MAC address validation state
inherited from the static primary IP interface, an entry for the MAC source address is
installed in the MAC validation table when MAC address validation is enabled (either
loose or strict) on the static primary IP interface. For each packet received on this interface,
Chapter 25: Configuring Subscriber Interfaces
595
Advertisement
Table of Contents
Troubleshooting
