The native bridge
domain refers to a Layer 2 broadcast domain consisting of a set of physical or
virtual ports (including VFI). Data frames are switched within a bridge domain
based on the destination MAC address. Multicast, broadcast, and unknown
destination unicast frames are flooded within the bridge domain. In addition,
the source MAC address learning is performed on all incoming frames on a bridge
domain. A learned address is aged out. Incoming frames are mapped to a bridge
domain, based on either the ingress port or a combination of both an ingress
port and a MAC header field.
By default, split horizon is enabled for pseudowires under the
same VFI. However, in the default configuration, split horizon is not enabled
on the attachment circuits (interfaces or pseudowires).
A Cisco ASR 9000
Series Router, while bridging traffic in a bridge domain, minimizes the amount
of traffic that floods unnecessarily. The Flood Optimization feature
accomplishes this functionality. However, in certain failure recovery
scenarios, extra flooding is actually desirable in order to prevent traffic
loss. Traffic loss occurs during a temporary interval when one of the bridge
port links becomes inactive, and a standby link replaces it.
configurations, optimizations to minimize traffic flooding is achieved at the
expense of traffic loss during the short interval in which one of the bridge's
links fails, and a standby link replaces it. Therefore, Flood Optimization can
be configured in different modes to specify a particular flooding behavior
suitable for your configuration.
optimization modes can be configured:
Flooded traffic is
sent only to the line cards on which a bridge port or pseudowire that is
attached to the bridge domain resides. This is the default mode.
Flooded traffic is
sent to all line cards in the system. Traffic is flooded regardless of whether
they have a bridge port or a pseudowire that is attached to the bridge domain.
If there are multiple Equal Cost MPLS Paths (ECMPs) attached to that bridge
domain, traffic is flooded to all ECMPs.
The purpose of
Convergence Mode is to ensure that an absolute minimum amount of traffic is
lost during the short interval of a bridge link change due to a failure.
TE FRR Optimized
Engineering Fast Reroute (TE FRR) Optimized Mode is similar to the Bandwidth
Optimized Mode, except for the flooding behavior with respect to any TE FRR
pseudowires attached to the bridge domain. In TE FRR Optimized Mode, traffic is
flooded to both the primary and backup FRR interfaces. This mode is used to
minimize traffic loss during an FRR failover, thus ensuring that the bridge
traffic complies with the FRR recovery time constraints.
Inspection (DAI) is a method of providing protection against address resolution
protocol (ARP) spoofing attacks. It intercepts, logs, and discards ARP packets
with invalid IP-to-MAC address bindings. This capability protects the network
from certain man-in-the-middle attacks. The DAI feature is disabled by default.
ARP enables IP
communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. Spoofing attacks occur because ARP allows a response from a host
even when an ARP request is not actually received. After an attack occurs, all
traffic, from the device under attack, first flows through the attacker's
system, and then to the router, switch, or the host. An ARP spoofing attack
affects the devices connected to your Layer 2 network by sending false
information to the ARP caches of the devices connected to the subnet. The
sending of false information to an ARP cache is known as ARP cache poisoning.
The Dynamic ARP
Inspection feature ensures that only valid ARP requests and responses are
relayed. There are two types of ARP inspection:
inspection—The sender’s MAC address, IPv4 address, receiving bridge port XID
and bridge are checked.
inspection—The following items are validated:
The sender’s and source MACs are checked. The check is performed on all ARP or
MAC: The target and destination MACs are checked. The check is performed on all
Reply or Reply Reverse packets.
Address: For ARP requests, a check is performed to verify if the sender’s IPv4
address is 0.0.0.0, a multicast address or a broadcast address. For ARP Reply
and ARP Reply Reverse, a check is performed to verify if the target IPv4
address is 0.0.0.0, a multicast address or a broadcast address. This check is
performed on Request, Reply and Reply Reverse packets.
The DAI feature is
supported on attachment circuits and EFPs. Currently, the DAI feature is not
supported on pseudowires.
IP source guard
(IPSG) is a security feature that filters traffic based on the DHCP snooping
binding database and on manually configured IP source bindings in order to
restrict IP traffic on non-routed Layer 2 interfaces.
The IPSG feature
provides source IP address filtering on a Layer 2 port, to prevent a malicious
hosts from manipulating a legitimate host by assuming the legitimate host's IP
address. This feature uses dynamic DHCP snooping and static IP source binding
to match IP addresses to hosts.
Initially, all IP
traffic, except for DHCP packets, on the EFP configured for IPSG is blocked.
After a client receives an IP address from the DHCP server, or after static IP
source binding is configured by the administrator, all traffic with that IP
source address is permitted from that client. Traffic from other hosts is
denied. This filtering limits a host's ability to attack the network by
claiming a neighbor host's IP address.
The IPSG feature
is supported on attachment circuits and EFPs. Currently, the IPSG feature is
not supported on pseudowires.