l The system overwrites the same dynamic MAC address, if any for the service virtual port or upstream port. The static MAC address cannot be created if the same static MAC address already exists in the system.
l A static MAC address cannot be included in an existing MAC address pool. Before configuring a static MAC address to a MAC address pool, run the display mac-pool command to check whether the MAC address pool contains the static MAC address to be configured.
Module
Feature Description 9 Layer 2 Protocol Handling
l One upstream port that exists in different VLANs can be configured with the same static MAC address.
l The system supports only unicast MAC addresses, which cannot be the MAC address of the system.
l Either a static MAC address or a dynamic MAC address can be deleted.
9.3 1:1 VMAC
VMAC means virtual MAC address. In 1:1 VMAC, the device replaces a single user MAC address with a unique virtual MAC address. The user MAC address and the VMAC of the device are in a 1:1 mapping.
9.3.1 Introduction
Definition
VMAC is abbreviated from virtual MAC address. It means that the MA5600T/MA5603T replaces the source MAC address of a user terminal with a virtual MAC address. In 1:1 VMAC, the MA5600T/MA5603T replaces each user MAC address with a unique virtual MAC address.
Purpose
In the typical Layer 2 forwarding model, a device is identified by its MAC address. However, not all such devices are directly controlled by the operator, so their MAC addresses may not always be trustable. Certain network devices have been used to solve the problem of MAC address conflict, but this is only part of the problems.
l The uniqueness of a MAC address can be ensured only at the network element (NE) level but not at the network level.
l An NE can detect a conflicting MAC address but cannot tell an authorized user from an unauthorized user.
VMAC comes up as an ideal solution. VMAC enables the operator to replace the MAC addresses of user devices with pre-defined (controllable) MAC addresses. Adopting VMAC enhances the Layer 2 forwarding model in two aspects:
l Security:
Replacing the MAC addresses of user devices with operator-defined MAC addresses ensures the uniqueness of MAC addresses in an entire network. This in turn avoids the problems arising from MAC address conflict.
l Measurability:
By ensuring the uniqueness of the MAC addresses of an entire network, the operator can connect multiple DSLAMs and edge routers by using the same VLAN. In this way, the operator can expand the number of devices sharing the same subnet and therefore improve the allocation efficiency of the IP address pool.
Benefit
Benefits to carriers Module
Feature Description 9 Layer 2 Protocol Handling
l Security is enhanced. Carriers can allocate trusted virtual MAC addresses to replace source MAC addresses of user terminals, so users with untrustable MAC addresses are denied access to the carriers' networks. This is an effective countermeasure to MAC spoofing.
l Users can be identified. The coding of a virtual MAC address can contain the user location or other information (such as the subrack ID/slot ID/port ID), so the user can be directly located in the carrier's network according to the MAC address.
Benefits to users
This feature prevents MAC address conflicts and protects users from MAC address spoofing.
9.3.2 Specifications
The specifications of the 1:1 VMAC feature are as follows:
l 1:1 VMAC is supported in PPPoE, PPPoA, and IPoE access.
l Each port supports a maximum of 32 VMACs in both PPPoE and IPoE access.
l The MA5600T/MA5603T supports 1:1 VMAC for a maximum of 8K ONTs, with each PON board supporting 1:1 VMAC for a maximum of 1K ONTs.
l A maximum of eight VMAC addresses are supported for each ONT. The maximum number of VMAC addresses for each ONT is configurable.
l The MA5600T/MA5603T supports a maximum of 64K GPON VMAC addresses, with each PON board supporting a maximum of 8K GPON VMAC addresses.
l The global-level VMAC switch and VLAN-level VMAC switch are supported.
l The VMAC mapping of only DHCP users is not lost after reset.
l The QinQ private line service does not support VMAC.
l LTM/LTR transparent transmission is supported. The MAC address in the Ethernet OAM LTM/LTR packet payload can also be replaced with a VMAC address.
l The MAC address in ARP, DHCP, and ND packet payloads can be replaced with a VMAC address.
9.3.3 Availability
License Support
The 1:1 VMAC feature is an optional feature of the MA5600T/MA5603T, and the corresponding service is controlled by the license.
Version Support
Table 9-2 lists the versions that support the 1:1 VMAC feature.
Table 9-2 Base version required for the 1:1 VMAC feature in an IPv4 network
Product Version
MA5600T/MA5603T V800R006C02 and later versions
Module
Feature Description 9 Layer 2 Protocol Handling
Feature Dependency
The VLAN-based 1:1 VMAC feature is mutually exclusive with the VLAN-based N:1 VMAC feature.
Cascading GEM ports do not support GPON 1:1 VMAC.
Type C does not support GPON 1:1 VMAC.
Hardware Support
Boards supporting PPPoE/IPoE 1:1 VMAC: xDSL, H805GPBD, OPFA, and OPGD boards.
Boards supporting PPPoA 1:1 VMAC: xDSL boards.
9.3.4 Feature Enhancement
Table 9-3 lists the new functions of 1:1 VMAC in the new versions.
Table 9-3 New functions of 1:1 VMAC
Version New Function
V800R010 GPON 1:1 VMAC