Configuring Mff; Overview - HP 5920 Series Configuration Manual

Configuring MFF

Overview

Traditional Ethernet networking solutions use the VLAN technology to isolate users at Layer 2 and to
allow them to communicate at Layer 3. When a large number of hosts need to be isolated at Layer 2, you
have to assign a network segment for each VLAN and an IP address for each VLAN interface for Layer
3 communication.
MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts
in the same broadcast domain.
An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server)
to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring
and attack prevention.
NOTE:
MFF does not support VRRPE for a gateway.
As shown in
Ethernet access nodes (EANs). The MFF enabled EANs forward packets from hosts to the gateway for
further forwarding. With MFF, the hosts, isolated at Layer 2, can communicate at Layer 3 without
knowing the MAC address of each other.
An MFF-enabled device and a host cannot ping each other.
Figure 117 Network diagram for MFF
MFF works with one of the following features to implement traffic filtering and Layer 2 isolation on the
EANs:
• ARP snooping (see Layer 3—IP Services Configuration Guide).
IP source guard (see
•
ARP detection (see
•
Figure 1 17, hosts are connected to Switch C through Switch A and Switch B, which are called
"Configuring IP source
"Configuring ARP attack
guard).
protection").
345