Table of Contents
Advertisement
Configuring MFF
Overview
MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between
hosts in the same broadcast domain.
An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or
server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic
monitoring and attack prevention.
NOTE:
MFF does not support VRRPE for a gateway.
As shown in
called Ethernet access nodes (EANs). The MFF enabled EANs forward packets from hosts to the
gateway for further forwarding. The hosts are isolated at Layer 2, but they can communicate at Layer
3.
An MFF-enabled device and a host cannot ping each other.
Figure 130 Network diagram for MFF
MFF works with any of the following features to implement traffic filtering and Layer 2 isolation on the
EANs:
•
ARP snooping (see Layer 3—IP Services Configuration Guide).
•
IP source guard (see "Configuring IP source guard).
•
ARP detection (see "Configuring ARP attack protection").
•
VLAN mapping (see Layer 2—LAN Switching Configuration Guide).
NOTE:
When MFF works with static IP source guard entries, you must configure VLAN IDs in the static
entries. Otherwise, IP packets allowed by IP source guard are permitted even if their destination
MAC addresses are not the MAC address of the gateway.
Figure
130, hosts are connected to Switch C through Switch A and Switch B, which are
423
Advertisement
Table of Contents
Troubleshooting
