Guidelines for Configuring Duplicate Protection for IWF PPPoE Sessions

Keep the following points in mind when you configure duplicate protection for IWF PPPoE sessions:

• In most environments, a 1:1 relationship between the DSLAM and PPPoE access concentrator is present. In such situations, all IWF sessions demultiplexed at any PPPoE access concentrator are required to contain the same source MAC address. In deployments where IWF sessions originate from multiple MAC addresses (because of multiple DSLAMs used to demultiplex subscriber sessions) and no VLAN grouping of VLAN IDs is configured, IWF sessions are not limited per source MAC address.
• If a user spoofs the IWF-Session VSA in a PPPoE PADR that originates from the PPPoE client or access loop for a non-IWF session, this user might be able to bypass the duplicate protection setting configured on the router. The PPPoE access concentrator cannot detect such spoofing when the interworking functionality is activated.
• Table 1 describes the different scenarios in which duplicate MAC addresses are supported for IWF PPPoE sessions and non-IWF PPPoE sessions, when duplicate protection configuration is enabled or disabled on a router.

  Table 1: PPPoE Duplicate Protection Scenarios for IWF and non-IWF PPPoE Sessions

  Type of PPPoE Session	Duplicate Protection Enabled	Duplicate Protection Disabled
  IWF PPPoE session (IWF-Session DSL VSA contained in the PADR packet)	Sessions with duplicate MAC addresses are processed until the maximum number of PPPoE sessions configured per major interface is reached.	Sessions with duplicate MAC addresses are processed.
  Non-IWF PPPoE session (IWF-Session DSL VSA not contained in the PADR packet )	Sessions with duplicate MAC addresses are terminated and cannot access network resources	Sessions with duplicate MAC addresses are processed.