Overview of IWF PPPoE Sessions with Duplicate MAC Addresses

JunosE Software supports detection of PPPoE sessions with duplicate MAC addresses that contain interworking function (IWF) tags. The IWF feature performs a set of operations on a subscriber’s session to enable the transport of PPPoE over ATM traffic on a PPPoE interface.

PPPoE supports duplicate detection based on MAC addresses to prevent spoofed MAC addresses and to avoid unauthorized users from attempting to use the MAC address of another valid user. When duplicate protection is configured for the underlying interface, a dynamic PPPoE logical interface cannot be activated when an existing active logical interface is present for the same PPPoE client. This mechanism prevents an unauthorized user to deny or disrupt service to a legitimate user.

Although duplicate protection of PPPoE sessions with the same MAC address enables prevention of unauthorized access to resources, there might be scenarios in interworked PPPoE sessions in which multiple sessions that originate from the same MAC address are required for access to network services and applications. In this release, you can enable multiple PPPoE sessions with the same MAC address that contain the IWF tag to be established. This feature is useful for IWF PPPoE sessions because of a number of such sessions contain the same MAC address of the DSLAM at which multiplexing and conversion functions are performed.

For PPPoE sessions that contain the IWF-Session DSL Forum VSA (26-254) in the PADR packets sent from the client to the PPPoE access concentrator, multiple subscriber sessions with the same MAC address can originate. This behavior occurs because the interworking functionality (IWF) causes a PPPoE over ATM or PPP over ATM (PPPoA) session to be converted by the digital subscriber line access multiplexer (DSLAM) into a PPPoE session. As a result of this conversion, the MAC addresses of all IWF PPPoE sessions contain the MAC address of the DSLAM device.

For PPPoE sessions with the IWF-Session VSA, duplication of MAC addresses is permitted by default. Regardless of whether the duplicate protection feature is enabled, multiple IWF PPPoE sessions with the same MAC address (the address of the DSLAM device) are not terminated until the limit on the maximum number of PPPoE sessions configured on the major interface is reached.

Related Documentation