beautypg.com

Configuring mff, Overview – H3C Technologies H3C S6300 Series Switches User Manual

Page 353

background image

338

Configuring MFF

Overview

MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts

in the same broadcast domain.
An MFF-enabled device intercepts ARP requests and returns the MAC address of a gateway (or server)

to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring

and attack prevention.
As shown in

Figure 112

, hosts are connected to Switch C through Switch A and Switch B, which are called

Ethernet access nodes (EANs). The MFF-enabled EANs forward packets from hosts to the gateway for

further forwarding. The hosts are isolated at Layer 2, but they can communicate at Layer 3.
An MFF-enabled device and a host cannot ping each other.

Figure 112 Network diagram for MFF

MFF works with one of the following features to implement traffic filtering and Layer 2 isolation on the
EANs:

ARP snooping (see Layer 3—IP Services Configuration Guide).

IP source guard (see "

Configuring IP source guard

).

ARP detection (see "

Configuring ARP attack protection

").

VLAN mapping (see Layer 2—LAN Switching Configuration Guide).

NOTE:

When MFF works with static IP source guard entries, you must configure VLAN IDs in the static entries.
Otherwise, IP packets allowed by IP source guard are permitted even if their destination MAC addresses

are not the MAC address of the gateway.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: