Allied Telesis Layer 3 Switches Network Manual page 23

MAC-Forced Forwarding (MACFF)
MAC-forced forwarding works in conjunction with DHCP
snooping to give you full control over IP flows in a layer 2
network.
Like local proxy ARP, MACFF replies to a client's ARP
request with the MAC address of an access router, instead
of the real MAC address of the IP requested.
With MACFF, the edge switch generates the ARP reply. The
edge switch works out which MAC address to reply with
from information provided by DHCP snooping. DHCP
snooping keeps a record of the client's IP, MAC and port
assignment. It also records the router information that the
client has been given by DHCP. DHCP snooping passes this
information to MACFF, so that MACFF knows which router's MAC address to provide when
it sees an ARP from that client.
For more information about how MACFF works, see How To Use MAC-Forced Forwarding with
DHCP Snooping to Create Enhanced Private VLANs. This How To Note is available from
www.alliedtelesis.com/resources/literature/howto.aspx.
Create A Secure Network With Allied Telesis Managed Layer 3 Switches
# Create a classifier to match all traffic in VLANs 101-104
create class=10 ipsa=192.168.0.0/16 ipda=192.168.0.0/16
# Create a classifier to match voice traffic
create class=100 ipsa=192.168.1.0/24 ipda=192.168.1.0/24
# Create a classifier to match management traffic
# The management PC is 192.168.4.250
create class=401 ipsa=192.168.4.0/24 ipda=192.168.4.250/32
create class=402 ipsa=192.168.4.250/32 ipda=192.168.4.0/24
# Create a filter to drop traffic within and between VLANs 101-104
add switch hwfilter classifier=10 action=discard
# Create filters to allow the exceptions (voice and management)
add switch hwfilter classifier=100 action=nodrop
add switch hwfilter classifier=401 action=nodrop
add switch hwfilter classifier=402 action=nodrop
Protecting the user
Products
AT-8600 Series
AT-8700XL Series
Rapier Series
AT-8800 Series
AT-8948
x900-48 Series
AT-9900 Series
Software Versions
2.9.1 or later
23