 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
To enable MAC address validation for the static primary IP interface, you must use the existing ip mac-validate command with either the strict keyword or the loose keyword. The strict keyword prevents transmission of IP packets that do not reside in the MAC validation table. The loose keyword, which is the default setting, enables IP packets to pass through even when the packets do not have entries in the MAC validation table; only packets that have matching IP-MAC pair entries in the table are validated.
When a dynamic IP subscriber interface is created with the MAC address validation state inherited from the static primary IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, the router compares the packet’s MAC source address to the value in the MAC validation table. If these values match, the router forwards the packet; otherwise, the packet is discarded.
In addition, creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router’s Address Resolution Protocol (ARP) table. This occurs regardless of whether you configure MAC address validation on the static primary IP interface with the ip mac-validate strict command or the ip mac-validate loose command.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |