Configuring Mff - HP 10500 Series Configuration Manual

Configuring MFF

Traditional Ethernet networking solutions use VLAN technology to isolate users at Layer 2 and to allow
them to communicate at Layer 3. However, when a large number of hosts need to be isolated at Layer 2,
many VLAN resources are occupied, and many IP addresses are used because you have to assign a
network segment for each VLAN and an IP address for each VLAN interface for Layer 3 communication.
MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts
in the same broadcast domain.
An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server)
to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring
and attack prevention.
Figure 108 Network diagram for MFF
As shown in
Switch B (Ethernet access nodes). The MFF enabled EANs forward packets from the hosts to the gateway
for further forwarding. The hosts, isolated at Layer 2, can communicate at Layer 3 without knowing the
MAC address of each other.
MFF is often used in cooperation with the DHCP snooping, ARP snooping, IP Source Guard, ARP
detection, and VLAN mapping features to enhance network security by implementing traffic filtering,
Layer 2 isolation, and Layer 3 communication on the access switches.
NOTE:
An MFF-enabled device and a host cannot ping each other.
For more information about DHCP snooping and ARP snooping, see Layer 3—
Guide
.
For more information about IP source guard, see
For more information about ARP detection, see
For more information about VLAN mappings, see Layer 2—LAN Switching Configuration Guide.
Figure 108, hosts are connected to Switch C (aggregation node) through Switch A and
"Configuring IP source
"Configuring ARP attack
273
IP Services Configuration
guard."
protection."