Networks that primarily utilize data link layer devices are often referred to as layer two (L2) networks. A data link layer device is a device that operates within the second layer of the Open Systems Interconnection (OSI) reference model, i.e., the data link layer. One example of a data link layer device is a customer premises equipment (CPE) device, such as a switch, modem, Ethernet card, or wireless access point. Traditional L2 networks include Ethernet networks, Asynchronous Transfer Mode (ATM) networks, Frame Relay networks, networks using High Level Data Link Control (HDLC), Point-to-Point (PPP) connections, PPP sessions from Layer 2 Tunneling Protocol (L2TP) tunnels, and Virtual Local Area Networks (VLANs).
In L2 networks, an L2 device responsible for forwarding network traffic, such as an L2 switch or an L2-enabled router, operates to forward network traffic to an L2 network address reachable by a particular port of the L2 device. If the specific port by which the L2 network address is reachable is not know, the L2 device typically “floods” L2 traffic destined for that network address to all ports of the L2 device. Such flooding, however, consumes bandwidth within the L2 network, which is generally undesirable. In some instances, the L2 device may be manually provisioned such that the L2 network addresses reachable by each of the ports are statically defined by an administrator. However, manually configuring the L2 device may result in significant administrative overhead, especially in large L2 networks where a single L2 device may forward network traffic to a large number of remote network devices, each having a unique L2 network address that must be manually configured on the L2 device. Furthermore, each time a remote network device moves such that it is reachable by a different port of the L2 device, the L2 device must be reconfigured by the administrator. This requires additional overhead and may prevent a remote network device from receiving packets until the administrator reconfigures the L2 device.
Other L2 devices are configured to dynamically learn which network addresses are reachable through the different ports of the device. Such an L2 device typically floods a copy of network traffic to the ports of the L2 device when the network traffic is destined for a network address that has not previously been seen, and therefore not learned, by the L2 device. Specifically, the L2 device floods all network traffic bound for a particular destination address until the L2 device receives some network traffic originated from the address, at which time the L2 device is able to “learn” the specific port by which the network address is reachable. As a result, the L2 device forwards future network traffic bound for the address to the particular port and no longer needs to flood the network traffic. Dynamic learning of L2 network addresses reachable by specific ports may significantly reduce administrative overhead associated with configuring L2 devices, especially in large L2 networks. However, dynamic learning may expose the L2 devices to certain security risks, such as L2 address spoofing. That is, a different remote network device may spoof a legitimate L2 network address and cause the L2 device to redirect packets to the spoofing remote network device rather than the legitimate remote network device.
To minimize administrative overhead while also minimizing the possibility of network address spoofing, some networks employ a hybrid form of L2 network address learning. Specifically, the L2 device may be configured to initially dynamically learn network addresses, as described above, but then prevent any learned network address from being re-learned on a different port of the L2 device. This is typically referred to as “pinning” the network address to the particular port of the L2 device such that the network address is not released until certain conditions are met, such as an expiration period. For example, the network address may be pinned to a particular port until no network traffic is received from the network address via the particular port within a configurable period of time, e.g., five minutes. As another example, the network address may be pinned to a particular port until an administrator reconfigures the L2 device to associate the network address with a different port of the L2 device.
Pinning of network addresses to ports of an L2 device also presents certain challenges. For example, by pinning the network address to a particular port, a multi-homed remote network device, e.g., a remote network device reachable by the L2 device via two or more different network paths associated with two or more different ports of the L2 device, cannot easily make use of the planned network redundancy. Instead, if a first network path becomes unavailable, the multi-homed remote network device must wait until the configurable period of time has expired and the L2 device subsequently permits the network address of the remote network device to be re-learned on the different port or until an administrator reconfigures the L2 device to associate the network address of the remote network device with the other port of the L2 device.