IP and MAC Address Validation in ACX Series
IP and MAC address validation enables the ACX Series router to validate that received packets contain a trusted IP source and an Ethernet MAC source address.
Configuring IP and MAC address validation can provide additional validation when subscribers access billable services. MAC address validation provides additional security by enabling the router to drop packets that do not match, such as packets with spoofed addresses.
When subscribers log in, they are automatically assigned IP addresses by DHCP. With IP and MAC address validation enabled, the router compares the IP source and MAC source addresses against trusted addresses, and forwards or drops the packets according to the match and the validation mode.
IP and MAC address validation on ACX Series routers support Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces (with or without VLAN tagging).
Note: In ACX Series routers, IP and MAC address validation is implemented using ternary content addressable memory (TCAM) space. The allocated TCAM space for MAC address validation is shared by the logical interface-level fixed classifier feature. From a scaling perspective, the allocated 192 hardware TCAM entries are shared by these features and the allocation of TCAM entries work on a first-come-first-serve mode. On the same logical interface, if these features are enabled, then IP source and MAC source validation feature takes higher precedence than the logical interface level fixed classifier. These features work independently on different logical interfaces without any limitation.
A trusted address tuple comprises a 32-bit IP address and a 48-bit MAC address. Prefixes and ranges are not supported.
The IP source address and the MAC source address used for validation must be from a trusted source.
All static ARP addresses configured through the Junos OS CLI are trusted addresses; dynamic ARP addresses are not considered trusted addresses.
Addresses dynamically created through an extended DHCP local server are also trusted addresses. When a DHCP server and client negotiate an IP address, the resulting IP address and MAC address tuple is trusted. Each DHCP subscriber can generate more than one address tuple.
Each MAC address can have more than one IP address, which can result in more than one valid tuple. Each IP address must map to one MAC address.
Types of IP and MAC Address Validation
You can configure either of two types or modes of MAC address validation—loose or strict. The behavior of the two modes varies depending on how well the incoming packets match the trusted address tuples. The modes differ only when the IP source address alone does not match any trusted IP address. Table 1 compares the behavior of the two modes. Dropped packets are considered to be spoofed.
Table 1: Comparison of MAC Address Validation Modes
Incoming Packet Addresses Match Trusted Address Tuple
Loose Mode Action
Strict Mode Action
Configuring strict mode is a more conservative strategy because it requires both received source addresses to match trusted addresses.
Ethernet IEEE 802.3 Frame Format / Structure
- a summary of the Ethernet, IEEE 802.3, data frame format or structure and how Ethernet data frames are sent.
Ethernet IEEE 802.3 Includes:
Ethernet introduction Standards Ethernet data frame structure 100 Base T Gigabit Ethernet, 1GE Cables How to buy Ethernet cables Power over Ethernet, PoE
Ethernet, IEEE 802.3 defines the frame formats or frame structures that are developed within the MAC layer of the protocol stack.
Essentially the same frame structure is used for the different variants of Ethernet, although there are some changes to the frame structure to extend the performance of the system should this be needed. With the high speeds and variety of media used, this basic format sometimes needs to be adapted to meet the individual requirements of the transmission system, but this is still specified within the amendment / update for that given Ethernet variant.
10 / 100 Mbps Ethernet MAC data frame format
The basic MAC data frame format for Ethernet, IEEE 802.3 used within the 10 and 100 Mbps systems is given below:
Basic Ethernet MAC Data Frame Format
The basic frame consists of seven elements split between three main areas:-
- Preamble (PRE) - This is seven bytes long and it consists of a pattern of alternating ones and zeros, and this informs the receiving stations that a frame is starting as well as enabling synchronisation. (10 Mbps Ethernet)
- Start Of Frame delimiter (SOF) - This consists of one byte and contains an alternating pattern of ones and zeros but ending in two ones.
- Destination Address (DA) - This field contains the address of station for which the data is intended. The left most bit indicates whether the destination is an individual address or a group address. An individual address is denoted by a zero, while a one indicates a group address. The next bit into the DA indicates whether the address is globally administered, or local. If the address is globally administered the bit is a zero, and a one of it is locally administered. There are then 46 remaining bits. These are used for the destination address itself.
- Source Address (SA) - The source address consists of six bytes, and it is used to identify the sending station. As it is always an individual address the left most bit is always a zero.
- Length / Type - This field is two bytes in length. It provides MAC information and indicates the number of client data types that are contained in the data field of the frame. It may also indicate the frame ID type if the frame is assembled using an optional format.(IEEE 802.3 only).
- Data - This block contains the payload data and it may be up to 1500 bytes long. If the length of the field is less than 46 bytes, then padding data is added to bring its length up to the required minimum of 46 bytes.
- Frame Check Sequence (FCS) - This field is four bytes long. It contains a 32 bit Cyclic Redundancy Check (CRC) which is generated over the DA, SA, Length / Type and Data fields.
1000 Mbps Ethernet MAC data frame format
The basic MAC data frame format for Ethernet is modified slightly for 1GE, IEEE 802.3z systems. When using the 1000Base-X standard, there is a minimum frame size of 416bytes, and for 1000Base-T there is a minimum frame size of 520bytes. To accommodate this, an extension is added as appropriate. This is a non-data variable extension field to any frames that are shorter than the minimum required length.
This access method involves the use of CSMA/CD and it was developed to enable several stations to share the same transport medium without the need for switching, network controllers or assigned time slots. Each station is able to determine when it is able to transmit and the network is self organising.
The CSMA/CD protocol used for Ethernet and a variety of other applications falls into three categories. The first is Carrier Sense. Here each station listens on the network for traffic and it can detect when the network is quiet. The second is the Multiple Access aspect where the stations are able to determine for themselves whether they should transmit. The final element is the Collision Detect element. Even though stations may find the network free, it is still possible that two stations will start to transmit at virtually the same time. If this happens then the two sets of data being transmitted will collide. If this occurs then the stations can detect this and they will stop transmitting. They then back off a random amount of time before attempting a retransmission. The random delay is important as it prevents the two stations starting to transmit together a second time.
Note: According to section 3.3 of the IEEE 802.3 standard, each octet of the Ethernet frame, with the exception of the FCS, is transmitted low-order bit first.
Another option that is allowed by the Ethernet MAC is full duplex with transmission in both directions. This is only allowable on point-to-point links, and it is much simpler to implement than using the CSMA/CD approach as well as providing much higher transmission throughput rates when the network is being used. Not only is there no need to schedule transmissions when no other transmissions are underway, as there are only two stations in the link, but by using a full duplex link, full rate transmissions can be undertaken in both directions, thereby doubling the effective bandwidth.
Every Ethernet network interface card (NIC) is given a unique identifier called a MAC address. This is assigned by the manufacturer of the card and each manufacturer that complies with IEEE standards can apply to the IEEE Registration Authority for a range of numbers for use in its products.
The MAC address comprises of a 48-bit number. Within the number the first 24 bits identify the manufacturer and it is known as the manufacturer ID or Organizational Unique Identifier (OUI) and this is assigned by the registration authority. The second half of the address is assigned by the manufacturer and it is known as the extension of board ID.
The MAC address is usually programmed into the hardware so that it cannot be changed. Because the MAC address is assigned to the NIC, it moves with the computer. Even if the interface card moves to another location across the world, the user can be reached because the message is sent to the particular MAC address.
Wireless & Wired Connectivity Topics:
Mobile Communications basics 2G GSM 2G GPRS 2G GSM EDGE 3G UMTS 3G HSPA 4G LTE 5G LMR / PMR WiFi IEEE 802.15.4 DECT cordless phones NFC- Near Field Communication Ethernet Serial data USB
Return to Wireless & Wired Connectivity