Processing Of Iwf Pppoe Sessions With Duplicate Mac Addresses; Guidelines For Configuring Duplicate Protection For Iwf Pppoe Sessions - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - LINK LAYER CONFIGURATION GUIDE 2010-10-13 Configuration Manual
Software for e series broadband services routers link layer configuration guide
Table of Contents
Advertisement
Processing of IWF PPPoE Sessions with Duplicate MAC Addresses
Guidelines for Configuring Duplicate Protection for IWF PPPoE Sessions
Copyright © 2010, Juniper Networks, Inc.
Example
host1(config-if)#pppoe sessions 128
Use the no version to restore the default value, 8000 (ERX routers) or 16,000 (E120
and E320 routers) or 32,000 (ES2 10G ADV LM).
See pppoe sessions.
JunosE Software supports detection of PPPoE sessions with duplicate MAC addresses
that contain interworking function (IWF) tags. The IWF feature performs a set of
operations on a subscriber's session to enable the transport of PPPoE over ATM traffic
on a PPPoE interface.
PPPoE supports duplicate detection based on MAC addresses to prevent spoofed MAC
addresses and to avoid unauthorized users from attempting to use the MAC address of
another valid user. When duplicate protection is configured for the underlying interface,
a dynamic PPPoE logical interface cannot be activated when an existing active logical
interface is present for the same PPPoE client. This mechanism prevents an unauthorized
user to deny or disrupt service to a legitimate user.
Although duplicate protection of PPPoE sessions with the same MAC address enables
prevention of unauthorized access to resources, there might be scenarios in interworked
PPPoE sessions in which multiple sessions that originate from the same MAC address
are required for access to network services and applications. In this release, you can
enable multiple PPPoE sessions with the same MAC address that contain the IWF tag
to be established. This feature is useful for IWF PPPoE sessions because of a number of
such sessions contain the same MAC address of the DSLAM at which multiplexing and
conversion functions are performed.
Keep the following points in mind when you configure duplicate protection for IWF PPPoE
sessions:
In most environments, a 1:1 relationship between the DSLAM and PPPoE access
concentrator is present. In such situations, all IWF sessions demultiplexed at any PPPoE
access concentrator are required to contain the same source MAC address. In
deployments where IWF sessions originate from multiple MAC addresses (because of
multiple DSLAMs used to demultiplex subscriber sessions) and no VLAN grouping of
VLAN IDs is configured, IWF sessions are not limited per source MAC address.
If a user spoofs the IWF-Session VSA in a PPPoE PADR that originates from the PPPoE
client or access loop for a non-IWF session, this user might be able to bypass the
duplicate protection setting configured on the router. The PPPoE access concentrator
cannot detect such spoofing when the interworking functionality is activated.
Table 22 on page 392 describes the different scenarios in which duplicate MAC addresses
are supported for IWF PPPoE sessions and non-IWF PPPoE sessions, when duplicate
protection configuration is enabled or disabled on a router.
Chapter 12: Configuring Point-to-Point Protocol over Ethernet
391
Advertisement
Chapters
Table of Contents
Troubleshooting
Need help?
Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - LINK LAYER CONFIGURATION GUIDE 2010-10-13 and is the answer not in the manual?
Questions and answers