How MAC Address Validation State Inheritance Works

To enable MAC address validation for the static primary IP interface, you must use the existing ip mac-validate command with either the strict keyword or the loose keyword. The strict keyword prevents transmission of IP packets that do not reside in the MAC validation table. Use the strict keyword to forward packets only when both the IP source address and the MAC source address match one of the IP-MAC address pair entries in the table. When the MAC address in the table does not match the MAC source address, or when IP source address of the incoming packet does not match any of the IP addresses in the validation table, the packet is dropped.

The loose keyword forwards packets when both the IP source address and the MAC source address match one of the IP-MAC address pair entries in the MAC validation table. When the IP source address matches one of the IP source addresses in the table, but the MAC address of the incoming packet does not match the MAC address of the entry in the table, the packet is dropped. However, when the IP source address of the incoming packet does not match any of the IP addresses in the table, the packet is forwarded. This is the default setting.

Note: When a DHCP discover or a DHCP request packet arrives from a requesting client to the router that functions as the DHCP server or the delegating router on an interface, and if you configured either strict or loose mode of MAC address validation on that interface, the DHCP discover or request packets are processed correctly and are not dropped.

When a dynamic IP subscriber interface is created with the MAC address validation state inherited from the static primary IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, the router compares the packet’s MAC source address to the value in the MAC validation table. If these values match, the router forwards the packet; otherwise, the packet is discarded.

In addition, creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router’s Address Resolution Protocol (ARP) table. This occurs regardless of whether you configure MAC address validation on the static primary IP interface with the ip mac-validate strict command or the ip mac-validate loose command.

Configuration of MAC Address Validation State Inheritance

No special configuration is required to enable inheritance of the MAC address validation state on dynamic IP subscriber interfaces; this occurs automatically provided that MAC address validation is properly enabled on the parent static primary IP interface with the ip mac-validate command. If MAC address validation is disabled on the static primary IP interface, the dynamic subscriber interface inherits the disabled state for MAC address validation.

Keep the following guidelines in mind for using dynamic IP subscriber interfaces that inherit the MAC address validation state from their parent static primary IP interface:

Verification of MAC Address Validation State Inheritance

To verify inheritance of the MAC address validation state on a dynamic subscriber interface, you can use the show ip mac-validate interface command and the show arp command.

The following sample output from the show ip mac-validate interface command displays the MAC address validation state (strict) inherited by the dynamic subscriber interface ip74.39.64.3 from its parent static primary IP interface.

host1#show ip mac-validate interface ip74.39.64.3
ip74.39.64.3:  Strict
        Address       Hardware Addr
        74.39.64.3    0090.1a40.f4f6

Building on this example, the following sample output from the show arp command displays a static MAC address validation entry (74.39.64.3) in the ARP table for the dynamic subscriber interface when it is created with the MAC address validation state inherited from its parent static primary IP interface. The asterisk (*) indicates that the ARP entry was added as the result of issuing an arp validate command rather than an arp command.

host1#show arp
        Address         Age         Hardware Addr    Interface
     10.13.10.1       21600        0090.6939.751b    FastEthernet6/0
     74.39.64.3         -          0090.1a40.f4f6    ip74.39.64.3 *
    192.168.1.2       20700        0090.1a40.280d    FastEthernet8/2

Related Documentation