4 — ONT software and security features
Alcatel-Lucent 7342 ISAM FTTU ONT R04.05.06 July 2008 4-11
3FE 51892 AAAA TCZZA Edition 01 ONT Product Information Manual
Source address anti-spoofing is implemented in either static or dynamic mode.
• Static mode enables the table of authorized source addresses to be provisioned
statically by an operator for one of the following anti-spoofing control types:
• MAC only
• IP-only
• MAC and IP
• Dynamic mode enables the table of authorized source addresses to be provisioned
both statically by an operator and dynamically through DHCP, and supports the
anti-spoofing control type IP-only.
Source address anti-spoofing filters are applied as follows:
• For IP-only anti-spoofing, packets that match a configured source address are
forwarded, and non matching packets are dropped.
• For MAC and IP anti-spoofing, packets that match a configured pair of MAC
source address and IP source address are forwarded, and non-matching packets
are dropped.
• MAC-only anti-spoofing can be implemented in one of two modes:
• Inclusive mode forwards packets that match a configured MAC source address, and
drops non matching packets.
• Exclusive mode forwards packets that do not match a configured MAC source
address, and drops matching packets.
Exclusive mode is used when you want to protect the 7342 ISAM FTTU against
virus-infected computers that send traffic using the MAC address of the default
router, which is in the computer’s ARP cache table.
Not all anti-spoofing control types apply to all traffic. Table 4-1 identifies the
anti-spoofing control types and any traffic exemptions by source address
anti-spoofing mode.
Table 4-1 Anti-spoofing control types and traffic exemptions
The anti-spoofing control type limits the number of authorized source address
entries.
Source address
anti-spoofing mode
Anti-spoofing control type Traffic exemptions
Static MAC-only anti-spoofing Is applied to all data traffic
IP-only anti-spoofing Is not applied to non-IP traffic,
such as:
• PPPoE
• ARP
• EAPOL, EAP
Is not applied to DHCP packets to
allow a subscriber to obtain a
DHCP lease.
MAC and IP anti-spoofing
Dynamic IP-only anti-spoofing
To Next Page
Loading...