1 — ONT and MDU overview
Alcatel-Lucent 7302 ISAM | 7330 ISAM FTTN | 7360 ISAM FX ONT R04.06.02 November 2013 1-29
3FE 55873 AAAA TCZZA Edition 01
ONT Product Information Guide
During re-authentication, traffic to and from the user is not interrupted. The port
forwards bidirectional traffic until re-authentication is completed. If
re-authentication fails, the port is changed to unauthorized state.
An EAP Request Identity message is sent to the port when the re-authentication timer
expires.
1.10 Anti-spoofing mechanism
The system supports two features to protect against spoofing:
• gratuitous ARP discard
• source address anti-spoofing
Gratuitous ARP discard
A gratuitous ARP request is an ARP packet where the sender IP address and the
target IP address are the same. Attackers can use gratuitous ARP requests to corrupt
the ARP cache of a router by sending out a gratuitous ARP request that claims to be
the default router.
The system supports a discard mechanism that filters incoming traffic for gratuitous
ARP requests. When gratuitous ARP discard is enabled, incoming gratuitous ARP
requests are discarded.
Gratuitous ARP discard is implemented on a per ONT UNI port basis using TL1. See
the appropriate P-OLT TL1 documentation.
Source address anti-spoofing
Source address spoofing is an attempt to gain entry to a system by posing as a trusted
source. Although the packet cannot be routed back to the initial source, source
address spoofing can lead to unnecessary network congestion and to possible denial
of service.
To block unauthorized traffic, the system supports an anti-spoofing mechanism that
limits source address spoofing. Upstream traffic arriving at the ONT is validated for
source address. Authorized packets are forwarded and non-validated packets are
discarded, as shown in Figure 1-3.
Note — Gratuitous ARP discard only applies for residential bridge
VLANs; in VLAN cross-connect mode, gratuitous ARP requests are
always forwarded.
To Next Page
Loading...
