Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    How MAC Address Validation State Inheritance Works

    To enable MAC address validation for the static primary IP interface, you must use the existing ip mac-validate command with either the strict keyword or the loose keyword. The strict keyword prevents transmission of IP packets that do not reside in the MAC validation table. Use the strict keyword to forward packets only when both the IP source address and the MAC source address match one of the IP-MAC address pair entries in the table. When the MAC address in the table does not match the MAC source address, or when IP source address of the incoming packet does not match any of the IP addresses in the validation table, the packet is dropped.

    The loose keyword forwards packets when both the IP source address and the MAC source address match one of the IP-MAC address pair entries in the MAC validation table. When the IP source address matches one of the IP source addresses in the table, but the MAC address of the incoming packet does not match the MAC address of the entry in the table, the packet is dropped. However, when the IP source address of the incoming packet does not match any of the IP addresses in the table, the packet is forwarded. This is the default setting.

    Note: When a DHCP discover or a DHCP request packet arrives from a requesting client to the router that functions as the DHCP server or the delegating router on an interface, and if you configured either strict or loose mode of MAC address validation on that interface, the DHCP discover or request packets are processed correctly and are not dropped.

    When a dynamic IP subscriber interface is created with the MAC address validation state inherited from the static primary IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, the router compares the packet’s MAC source address to the value in the MAC validation table. If these values match, the router forwards the packet; otherwise, the packet is discarded.

    In addition, creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router’s Address Resolution Protocol (ARP) table. This occurs regardless of whether you configure MAC address validation on the static primary IP interface with the ip mac-validate strict command or the ip mac-validate loose command.

    Configuration of MAC Address Validation State Inheritance

    No special configuration is required to enable inheritance of the MAC address validation state on dynamic IP subscriber interfaces; this occurs automatically provided that MAC address validation is properly enabled on the parent static primary IP interface with the ip mac-validate command. If MAC address validation is disabled on the static primary IP interface, the dynamic subscriber interface inherits the disabled state for MAC address validation.

    Keep the following guidelines in mind for using dynamic IP subscriber interfaces that inherit the MAC address validation state from their parent static primary IP interface:

    • A dynamic subscriber interface inherits the MAC address validation state of its static primary IP interface only when the dynamic subscriber interface is created.
    • You cannot change the MAC address validation state inherited by a dynamic subscriber interface from its static primary IP interface.
    • Changing the MAC address validation state of a static primary IP interface does not affect the MAC address validation state of dynamic subscriber interfaces already created from this primary IP interface. Any dynamic subscriber interfaces created from this primary IP interface after you change the MAC address validation state inherit the new MAC validation state.
    • When you configure a dynamic subscriber interface with one or more framed routes (subnets), we recommend that you use the ip mac-validate loose command to configure MAC address validation for the static primary IP interface. Using the loose keyword, which is the default, prevents the router from discarding packets with an IP source address from a subnet.
    • Because enabling MAC address validation on an IP interface creates a static MAC address validation entry in the router’s ARP table, be sure to observe the system limit for the maximum number of dynamic ARP table entries supported per line module. See the Link Layer Maximums tables in Appendix A, System Maximums, of the Release Notes corresponding to your software release for information about the maximum number of dynamic ARP entries that the router supports. Currently, this limit is set to 32,768 dynamic ARP entries for all E Series modules that support Ethernet interfaces.

    Verification of MAC Address Validation State Inheritance

    To verify inheritance of the MAC address validation state on a dynamic subscriber interface, you can use the show ip mac-validate interface command and the show arp command.

    The following sample output from the show ip mac-validate interface command displays the MAC address validation state (strict) inherited by the dynamic subscriber interface ip74.39.64.3 from its parent static primary IP interface.

    host1#show ip mac-validate interface ip74.39.64.3
    ip74.39.64.3:  Strict
            Address       Hardware Addr
            74.39.64.3    0090.1a40.f4f6

    Building on this example, the following sample output from the show arp command displays a static MAC address validation entry (74.39.64.3) in the ARP table for the dynamic subscriber interface when it is created with the MAC address validation state inherited from its parent static primary IP interface. The asterisk (*) indicates that the ARP entry was added as the result of issuing an arp validate command rather than an arp command.

    host1#show arp
            Address         Age         Hardware Addr    Interface
         10.13.10.1       21600        0090.6939.751b    FastEthernet6/0
         74.39.64.3         -          0090.1a40.f4f6    ip74.39.64.3 *
        192.168.1.2       20700        0090.1a40.280d    FastEthernet8/2

    Published: 2014-08-20