TE FRR Optimized Mode
The Traffic Engineering Fast Reroute (TE FRR) Optimized Mode is similar to the Bandwidth Optimized
Mode, except for the flooding behavior with respect to any TE FRR pseudowires attached to the bridge domain.
In TE FRR Optimized Mode, traffic is flooded to both the primary and backup FRR interfaces. This mode is
used to minimize traffic loss during an FRR failover, thus ensuring that the bridge traffic complies with the
FRR recovery time constraints.
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a method of providing protection against address resolution protocol (ARP)
spoofing attacks. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from certain man-in-the-middle attacks. The DAI feature is disabled by default.
ARP enables IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address. Spoofing attacks occur because ARP allows a response from a host even when an ARP request is
not actually received. After an attack occurs, all traffic, from the device under attack, first flows through the
attacker's system, and then to the router, switch, or the host. An ARP spoofing attack affects the devices
connected to your Layer 2 network by sending false information to the ARP caches of the devices connected
to the subnet. The sending of false information to an ARP cache is known as ARP cache poisoning.
The Dynamic ARP Inspection feature ensures that only valid ARP requests and responses are relayed. There
are two types of ARP inspection:
• Mandatory inspection—The sender’s MAC address, IPv4 address, receiving bridge port XID and bridge
are checked.
• Optional inspection—The following items are validated:
• Source MAC: The sender’s and source MACs are checked. The check is performed on all ARP or
RARP packets.
• Destination MAC: The target and destination MACs are checked. The check is performed on all
Reply or Reply Reverse packets.
• IPv4 Address: For ARP requests, a check is performed to verify if the sender’s IPv4 address is
0.0.0.0, a multicast address or a broadcast address. For ARP Reply and ARP Reply Reverse, a check
is performed to verify if the target IPv4 address is 0.0.0.0, a multicast address or a broadcast address.
This check is performed on Request, Reply and Reply Reverse packets.
The DAI feature is supported on attachment circuits and EFPs. Currently, the DAI feature is not supported
on pseudowires.
Note
IP Source Guard
IP source guard (IPSG) is a security feature that filters traffic based on the DHCP snooping binding database
and on manually configured IP source bindings in order to restrict IP traffic on non-routed Layer 2 interfaces.
The IPSG feature provides source IP address filtering on a Layer 2 port, to prevent a malicious hosts from
manipulating a legitimate host by assuming the legitimate host's IP address. This feature uses dynamic DHCP
snooping and static IP source binding to match IP addresses to hosts.
L2VPN and Ethernet Services Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.3.x
205
Implementing Multipoint Layer 2 Services
Bridge Domain
To Next Page
Loading...
Need help?
General
