MAC (L2) LEVEL AUTHENTICATION, SECURITY AND POLICY CONTROL

摘要

Techniques are described that enable MAC (L2) address authentication within an L2 switching network, such as a metro transport network. Moreover, when used in an EVPN, the techniques provide fine grain policy control over the L2 switching network so as to enable carrier networks to specify and control topologies for transporting packet-based communications. Access routers of the EVPN communicate with a L2 network address authentication device of the metro transport network and only advertise MAC addresses into the EVPN that have been validated. Moreover, the L2 network address authentication device may distribute MAC-level policies to control topologies and MAC learning within the EVPN and provide services such as per-MAC traffic quota limits.

主权项

1. A method comprising:
establishing an Ethernet Virtual Private Network (EVPN) with a set of routers of a metro transport network positioned between at least one Internet service provider network and a set of customer devices, wherein the metro transport network provides layer two (L2) packet switching for transporting network packets between the Internet service provider network and the customer devices, and wherein a first one of the routers is an access router coupled to the customer devices by an access link; receiving, with access router, a packet from one of the customer devices by the access link; responsive to receiving the packet, outputting an authentication request from the access router to a network address authentication device of the metro transport network, wherein the authentication request specifies a source L2 network address of the packet and requests validation of the source L2 network address; and responsive to receiving response messaging from the network authentication device indicating that the source L2 network address is a valid L2 network address associated with one of the customer devices, outputting, within the EVPN by the access router, an EVPN route advertisement that advertises the L2 network address as reachable through the access router.