Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IP and MAC Address Validation in ACX Series

    IP and MAC address validation enables the ACX Series router to validate that received packets contain a trusted IP source and an Ethernet MAC source address.

    Configuring IP and MAC address validation can provide additional validation when subscribers access billable services. MAC address validation provides additional security by enabling the router to drop packets that do not match, such as packets with spoofed addresses.

    When subscribers log in, they are automatically assigned IP addresses by DHCP. With IP and MAC address validation enabled, the router compares the IP source and MAC source addresses against trusted addresses, and forwards or drops the packets according to the match and the validation mode.

    IP and MAC address validation on ACX Series routers support Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces (with or without VLAN tagging).

    Note: In ACX Series routers, IP and MAC address validation is implemented using ternary content addressable memory (TCAM) space. The allocated TCAM space for MAC address validation is shared by the logical interface-level fixed classifier feature. From a scaling perspective, the allocated 192 hardware TCAM entries are shared by these features and the allocation of TCAM entries work on a first-come-first-serve mode. On the same logical interface, if these features are enabled, then IP source and MAC source validation feature takes higher precedence than the logical interface level fixed classifier. These features work independently on different logical interfaces without any limitation.

    Trusted Addresses

    A trusted address tuple comprises a 32-bit IP address and a 48-bit MAC address. Prefixes and ranges are not supported.

    The IP source address and the MAC source address used for validation must be from a trusted source.

    All static ARP addresses configured through the Junos OS CLI are trusted addresses; dynamic ARP addresses are not considered trusted addresses.

    Addresses dynamically created through an extended DHCP local server are also trusted addresses. When a DHCP server and client negotiate an IP address, the resulting IP address and MAC address tuple is trusted. Each DHCP subscriber can generate more than one address tuple.

    Each MAC address can have more than one IP address, which can result in more than one valid tuple. Each IP address must map to one MAC address.

    Types of IP and MAC Address Validation

    You can configure either of two types or modes of MAC address validation—loose or strict. The behavior of the two modes varies depending on how well the incoming packets match the trusted address tuples. The modes differ only when the IP source address alone does not match any trusted IP address. Table 1 compares the behavior of the two modes. Dropped packets are considered to be spoofed.

    Table 1: Comparison of MAC Address Validation Modes

    Incoming Packet Addresses Match Trusted Address Tuple

    Loose Mode Action

    Strict Mode Action

    • IP source address matches

      and

    • MAC source address matches

    Forwards packet

    Forwards packet

    • IP source address matches

      but

    • MAC source address does not match

    Drops packet

    Drops packet

    • IP source address does not match

      and

    • MAC source address either matches or does not match

    Forwards packet

    Drops packet

    Configuring strict mode is a more conservative strategy because it requires both received source addresses to match trusted addresses.

    Modified: 2017-08-31