Trusted Addresses
A trusted address tuple comprises a 32-bit IP address and a 48-bit MAC address. Prefixes
and ranges are not supported.
The IP source address and the MAC source address used for validation must be from a
trusted source.
All static ARP addresses configured through the Junos OS CLI are trusted addresses;
dynamic ARP addresses are not considered trusted addresses.
Addresses dynamically created through an extended DHCP local server are also trusted
addresses. When a DHCP server and client negotiate an IP address, the resulting IP
address and MAC address tuple is trusted. Each DHCP subscriber can generate more
than one address tuple.
Each MAC address can have more than one IP address, which can result in more than
one valid tuple. Each IP address must map to one MAC address.
Types of IP and MAC Address Validation
You can configure either of two types or modes of MAC address validation—loose or
strict. The behavior of the two modes varies depending on how well the incoming packets
match the trusted address tuples. The modes differ only when the IP source address
alone does not match any trusted IP address. Table 62 on page 996 compares the behavior
of the two modes. Dropped packets are considered to be spoofed.
Table 62: Comparison of MAC Address Validation Modes
Strict Mode ActionLoose Mode ActionIncoming Packet Addresses Match Trusted Address Tuple
Forwards packetForwards packet
•
IP source address matches
and
•
MAC source address matches
Drops packetDrops packet
•
IP source address matches
but
•
MAC source address does not match
Drops packetForwards packet
•
IP source address does not match
and
•
MAC source address either matches or does not match
Configuring strict mode is a more conservative strategy because it requires both received
source addresses to match trusted addresses.
Related
Documentation
Configuring IP and MAC Address Validation for Static Interfaces on page 997•
• mac-validate on page 1593
Copyright © 2017, Juniper Networks, Inc.996
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
