beautypg.com

5 mff configuration, Mff overview, Application background – H3C Technologies H3C S3600 Series Switches User Manual

Page 622: Mff configuration

background image

5-1

5

MFF Configuration

MFF Overview

Application Background

In traditional Ethernet networking, typically VLANs are created on a switch to implement Layer 2

isolation and provide Layer 3 interoperability among clients. If a large number of users are to be isolated

at Layer 2, however, this type of networking consumes many VLAN resources. Moreover, to provide

Layer 3 interoperability among clients, you need to plan a different IP network segment for each VLAN

and configure an IP address for each VLAN interface. Therefore, an excessive number of VLANs will

make IP address allocation less efficient.

Access-layer switches support MAC-forced forwarding (MFF), which provides a solution for Layer 2

isolation and Layer 3 interoperability among clients within the same broadcast domain.

An MFF enabled device intercepts an ARP request and then returns the MAC address of a gateway to

the sender. In this way, the sender is forced to send all packets to the gateway for traffic monitoring and

attack prevention.

Figure 5-1 Ethernet-based access network

As shown in

Figure 5-1

, Switch A and Switch B, serving as Ethernet access nodes (EANs), interconnect

the hosts and the aggregation node Switch C. After port isolation and MFF are enabled on the EANs, all

the data packets exchanged among the hosts will be forwarded through the gateway, thus providing

Layer 3 interoperability among the hosts while ensuring Layer 2 isolation of data. That is, the client

hosts will have no knowledge of one another’s MAC addresses.

The MFF feature is typically used in combination with port isolation, IP filtering, and ARP intrusion

detection. It is used on access-layer switches to implement traffic filtering, Layer 2 isolation, and Layer 3

interoperability among the hosts, thereby enhancing access-layer network security. For details about

port isolation, IP filtering, and ARP intrusion detection, refer to the sections covering port isolation,

DHCP, and ARP in this manual.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: