Page 426 7750 SR OS Services Guide
MAC Learning Protection
In a Layer 2 environment, subscribers connected to SAPs A, B, C can create a denial of service
attack by sending packets sourcing the gateway MAC address. This will move the learned gateway
MAC from the uplink SDP/SAP to the subscriber’s SAP causing all communication to the
gateway to be disrupted. If local content is attached to the same VPLS (D), a similar attack can be
launched against it. Communication between subscribers must also be disallowed but split-horizon
will not be sufficient in the topology depicted in Figure 61.
Figure 61: MAC Learning Protection
7750 SRs enable MAC learning protection capability for SAPs and SDPs. With this mechanism,
forwarding and learning rules apply to the non-protected SAPs. Assume hosts H1, H2 and H3
(Figure 61) are non-protected while IES interfaces G and H are protected. When a frame arrives at
a protected SAP/SDP the MAC is learned as usual. When a frame arrives from a non-protected
SAP or SDP the frame must be dropped if the source MAC address is protected and the MAC
address is not relearned. The system allows only packets with a protected MAC destination
address.
The system can be configured statically. The addresses of all protected MACs are configured.
Only the IP address can be included and use a dynamic mechanism to resolve the MAC address
(cpe-ping). All protected MACs in all VPLS instances in the network must be configured.
OSSG189
VPLS VPLS IES
Local
Content
A1
D
A3
A2 G
VPLS VPLS IES
B1
B3
B2 H
H1
H2
H3
To Next Page
Loading...
