MAC Address Validation Overview

MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packet’s source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.

Note: MAC address validation for bridged Ethernet interfaces is supported only on OC12 ATM line modules on ERX routers and on OC3/OC12 ATM IOAs on the E120 and E320 routers.

MAC address validation on the E Series router can be accomplished in two ways:

• You can statically configure it on a physical interface via the arp validate command
• You can enable Dynamic Host Configuration Protocol (DHCP) to perform the function independently and dynamically. See JunosE Link Layer Configuration Guide .

The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface.

If the validation is added statically via the command-line interface (CLI), the IP address–MAC address pairs are stored in nonvolatile storage (NVS). The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.

Caution: When you configure an interface using the arp validate command, you cannot overwrite the ARP values that were added by DHCP.

You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See JunosE Physical Layer Configuration Guide or JunosE Link Layer Configuration Guide for information.

A dynamic IP subscriber interface inherits the MAC address validation state (enabled or disabled) configured for its parent static primary IP interface. See Configuring Subscriber Interfaces in the JunosE Broadband Access Configuration Guide for information.