Basic concepts of mff, User port, Network port – H3C Technologies H3C S3600 Series Switches User Manual
Page 623: Gateway
5-2
Basic Concepts of MFF
User port
An MFF user port is directly connected to a host; it processes packets as follows:
z
Allows DHCP packets and multicast packets to pass.
z
Delivers ARP packets to the CPU.
z
After learning gateways’ MAC addresses, a user port allows only the unicast packets with the
gateways’ MAC addresses as the destination MAC addresses to pass. If no gateways’ MAC
addresses are learned, a user port discards all received unicast packets.
z
IP filtering must be enabled on a port before the port can be configured as a user port. IP filtering
cannot be disabled on an as-configured user port.
z
To ensure Layer 2 isolation among clients connected to the same switch, the corresponding user
ports must be added to a port isolation group.
Network port
An MFF network port is connected to a networking device, such as an access switch, a distribution
switch or a gateway. A network port processes packets as follows:
z
Allows multicast packets and DHCP packets to pass.
z
Delivers ARP packets to the CPU.
z
Denies broadcast packets.
z
You need to configure the following ports as network ports: upstream ports connected to a gateway,
ports connected to the downstream MFF devices, and ports between devices in a ring network.
z
A network port is not always an upstream port.
z
To ensure the correct implementation of MFF, the network port is typically configured as a DHCP
snooping trusted port and an ARP intrusion detection trusted port.
Gateway
For an access layer switch enabled with MFF, each VLAN corresponds to an MFF gateway. All the
traffic from the clients of a VLAN will be forwarded by the corresponding gateway, to implement Layer 2
isolation and traffic monitoring.
The IP address of an MFF gateway can be configured manually or obtained automatically. For details,
.