Please note that the7750 SR supports many additional security features, which are described in the 7750 SR OS System Management Guide.
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA).
Note that anti-spoofing filters, with type ip-mac, must be enabled to do Enhanced Subscriber Management (as described in section
Triple Play Enhanced Subscriber Management).
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA).
The mac-protect feature on the Alcatel-Lucent 7750 SR allows a list of special MAC addresses to be configured in a VPLS. Two checks can then be made on incoming packets against these protected MAC addresses:
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA) with Layer 2 aggregation towards a Broadband Subscriber Router (BSR).
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA).
When the keyword sub-ident is added in the ARP reply agent configuration, also the subscriber identity is checked. If an upstream ARP request is targeted to the same subscriber, it is dropped. Otherwise, it is flooded to all VPLS interfaces outside the received Split Horizon Group (SHG).
Static hosts can be defined on the SAP using the host command. Dynamic hosts are enabled on the system by enabling the
lease-populate command in the SAP’s
dhcp context. In the event that both a static host and a dynamic host share the same IP and MAC address, the VPLS ARP reply agent will retain the host information until both the static and dynamic information are removed. In the event that both a static and dynamic host share the same IP address, but different MAC addresses, the VPLS ARP reply agent is populated with the static host information.
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA) with Layer 3 forwarding towards the network.
In an IES or VPRN service, the system’s ARP table can be populated dynamically using entries in the DHCP lease state table (in turn populated from snooping DHCP ACK messages (see
DHCP Snooping)), and from static hosts defined on the SAP. In the router ARP table these are indicated with state managed.
No static-arp creation is possible when combined with
arp-populate.
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA) with Layer 3 forwarding towards the network.
Local proxy ARP allows the Alcatel-Lucent 7750 SR to respond to ARP requests received on an interface, for an IP address which is part of a subnet assigned to the interface. When the local proxy ARP feature is enabled, the switch responds to all ARP requests for IP addresses belonging to the subnet with the MAC address of the interface, and forwards all traffic between hosts in the subnet.
Note: When local-proxy-arp is enabled under a IES or VPRN service, all ICMP redirects on the ports associated with the service are automatically blocked. This prevents users from learning each other's MAC address (from ICMP redirects).
The implementation of proxy ARP with support for local proxy ARP allows the 7750 SR to respond to ARP requests in the subnet assigned to an IES or VPRN interface, thus allowing multiple customers to share the same IP subnet.
This section describes the Alcatel-Lucent 7750 SR acting as a Broadband Subscriber Aggregator (BSA).
The 7750 SR supports a special ACL that automatically redirects subscribers to a predefined URL. This is done by sending a HTTP 302 (moved) message to the subscriber, regardless of the requested URL.
The items in red text in Figure 39 are messages the 7750 SR will send (masquerading as the destination), regardless of the destination IP address or type of service.
Since most web sites are accessed using the domain name, the 7750 SR will need to allow DNS queries, and an ACL entry to this effect should be included in the filter (see example in section
Configuring Web Portal Redirect).