How MAC Address Validation State Inheritance Works

To enable MAC address validation for the static primary IP interface, you must use the existing ip mac-validate command with either the strict keyword or the loose keyword. The strict keyword prevents transmission of IP packets that do not reside in the MAC validation table. The loose keyword, which is the default setting, enables IP packets to pass through even when the packets do not have entries in the MAC validation table; only packets that have matching IP-MAC pair entries in the table are validated.

When a dynamic IP subscriber interface is created with the MAC address validation state inherited from the static primary IP interface, an entry for the MAC source address is installed in the MAC validation table when MAC address validation is enabled (either loose or strict) on the static primary IP interface. For each packet received on this interface, the router compares the packet’s MAC source address to the value in the MAC validation table. If these values match, the router forwards the packet; otherwise, the packet is discarded.

In addition, creation of the dynamic IP subscriber interface adds a static MAC address validation entry in the router’s Address Resolution Protocol (ARP) table. This occurs regardless of whether you configure MAC address validation on the static primary IP interface with the ip mac-validate strict command or the ip mac-validate loose command.

Configuration of MAC Address Validation State Inheritance

No special configuration is required to enable inheritance of the MAC address validation state on dynamic IP subscriber interfaces; this occurs automatically provided that MAC address validation is properly enabled on the parent static primary IP interface with the ip mac-validate command. If MAC address validation is disabled on the static primary IP interface, the dynamic subscriber interface inherits the disabled state for MAC address validation.

Keep the following guidelines in mind for using dynamic IP subscriber interfaces that inherit the MAC address validation state from their parent static primary IP interface:

• A dynamic subscriber interface inherits the MAC address validation state of its static primary IP interface only when the dynamic subscriber interface is created.
• You cannot change the MAC address validation state inherited by a dynamic subscriber interface from its static primary IP interface.
• Changing the MAC address validation state of a static primary IP interface does not affect the MAC address validation state of dynamic subscriber interfaces already created from this primary IP interface. Any dynamic subscriber interfaces created from this primary IP interface after you change the MAC address validation state inherit the new MAC validation state.
• When you configure a dynamic subscriber interface with one or more framed routes (subnets), we recommend that you use the ip mac-validate loose command to configure MAC address validation for the static primary IP interface. Using the loose keyword, which is the default, prevents the router from discarding packets with an IP source address from a subnet.
• Because enabling MAC address validation on an IP interface creates a static MAC address validation entry in the router’s ARP table, be sure to observe the system limit for the maximum number of dynamic ARP table entries supported per line module. See the Link Layer Maximums tables in Appendix A, System Maximums, of the Release Notes corresponding to your software release for information about the maximum number of dynamic ARP entries that the router supports. Currently, this limit is set to 32,768 dynamic ARP entries for all E Series modules that support Ethernet interfaces.

Verification of MAC Address Validation State Inheritance

To verify inheritance of the MAC address validation state on a dynamic subscriber interface, you can use the show ip mac-validate interface command and the show arp command.

The following sample output from the show ip mac-validate interface command displays the MAC address validation state (strict) inherited by the dynamic subscriber interface ip74.39.64.3 from its parent static primary IP interface.

host1#show ip mac-validate interface ip74.39.64.3
ip74.39.64.3:  Strict

        Address       Hardware Addr
        74.39.64.3    0090.1a40.f4f6

Building on this example, the following sample output from the show arp command displays a static MAC address validation entry (74.39.64.3) in the ARP table for the dynamic subscriber interface when it is created with the MAC address validation state inherited from its parent static primary IP interface. The asterisk (*) indicates that the ARP entry was added as the result of issuing an arp validate command rather than an arp command.

host1#show arp
        Address         Age         Hardware Addr    Interface
     10.13.10.1       21600        0090.6939.751b    FastEthernet6/0
     74.39.64.3         -          0090.1a40.f4f6    ip74.39.64.3 *
    192.168.1.2       20700        0090.1a40.280d    FastEthernet8/2

Related Documentation

• Subscriber Interfaces Overview
• Dynamic Interfaces and Dynamic Subscriber Interfaces Overview
• Characteristics of Subscriber Interfaces
• Dynamic Creation of Subscriber Interfaces Overview
• Applications for Subscriber Interfaces
• Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces Overview
• Example: Configuring Static Subscriber Interfaces
• Example: Configuring Dynamic Subscriber Interfaces