Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-SSH commands
- 14-SSL commands
- 15-Attack detection and prevention commands
- 16-TCP attack prevention commands
- 17-IP source guard commands
- 18-ARP attack protection commands
- 19-ND attack defense commands
- 20-uRPF commands
- 21-MFF commands
- 22-Crypto engine commands
- 23-FIPS commands
- 24-MACsec commands
- 25-Microsegmentation commands
- 26-Object group commands
- 27-SAVI commands
- 28-SAVA commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-MFF commands | 61.25 KB |
Contents
display mac-forced-forwarding interface
display mac-forced-forwarding vlan
mac-forced-forwarding gateway probe
mac-forced-forwarding network-port
MFF commands
display mac-forced-forwarding interface
Use display mac-forced-forwarding interface to display MFF port configuration.
Syntax
display mac-forced-forwarding interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display MFF port configuration.
<Sysname> display mac-forced-forwarding interface
Network Port:
WGE1/0/1 WGE1/0/2
User Port:
WGE1/0/3 WGE1/0/4 WGE1/0/5
...
Table 1 Command output
|
Field |
Description |
|
Network Port |
List of network ports. |
|
User Port |
List of user ports. |
Related commands
mac-forced-forwarding network-port
display mac-forced-forwarding vlan
Use display mac-forced-forwarding vlan to display the MFF configuration for a VLAN.
Syntax
display mac-forced-forwarding vlan vlan-id
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vlan-id: Specifies a VLAN by its ID.
Examples
# Display the MFF configuration for VLAN 2.
<Sysname> display mac-forced-forwarding vlan 2
VLAN 2
Gateway:
--------------------------------------------------------------------------
192.168.1.42 000f-e200-8046
Server:
--------------------------------------------------------------------------
192.168.1.48 192.168.1.49
Table 2 Command output
|
Field |
Description |
|
VLAN 2 |
ID of the VLAN to which the gateways belong. |
|
Gateway |
IP and MAC addresses of gateways. If no address is learned, this field displays N/A. |
|
Server |
Server IP addresses. |
Related commands
mac-forced-forwarding
mac-forced-forwarding server
mac-forced-forwarding
Use mac-forced-forwarding to enable MFF and specify the default gateway.
Use undo mac-forced-forwarding to disable MFF.
Syntax
mac-forced-forwarding default-gateway gateway-ip
undo mac-forced-forwarding
Default
MFF is disabled.
Views
VLAN view
Predefined user roles
network-admin
Parameters
default-gateway gateway-ip: Specifies the IP address of the default gateway.
Usage guidelines
For MFF to take effect, make sure ARP snooping is enabled on the VLAN where MFF is enabled.
For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured. MFF checks for and denies only all-zero and all-one gateway IP addresses.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable MFF for VLAN 2 and specify the IP address of the default gateway.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding default-gateway 1.1.1.1
Related commands
mac-forced-forwarding server
mac-forced-forwarding gateway probe
Use mac-forced-forwarding gateway probe to enable periodic gateway probe.
Use undo mac-forced-forwarding gateway probe to disable periodic gateway probe.
Syntax
mac-forced-forwarding gateway probe
undo mac-forced-forwarding gateway probe
Default
Periodic gateway probe is disabled.
Views
VLAN view
Predefined user roles
network-admin
Usage guidelines
Make sure you have enabled MFF before enabling periodic gateway probe. The probe interval is 30 seconds.
Examples
# Enable periodic gateway probe.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding gateway probe
Related commands
mac-forced-forwarding
mac-forced-forwarding network-port
Use mac-forced-forwarding network-port to configure the Ethernet port as a network port.
Use undo mac-forced-forwarding network-port to restore the default.
Syntax
mac-forced-forwarding network-port
undo mac-forced-forwarding network-port
Default
The Ethernet port is a user port.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
You should configure the following ports as network ports:
· Upstream ports connected to a gateway.
· Ports connected to the MFF devices in a cascaded network (a network with multiple MFF devices connected to one another).
· Ports between devices in a ring network.
You can configure multiple ports as network ports.
You can configure a port as a network port regardless of whether MFF is enabled for the VLAN of the port. However, the configuration takes effect only after MFF is enabled.
Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN. To cancel the network port configuration of a link aggregation member port in a MFF-enabled VLAN, remove the network port from the link aggregation group first. For more information about link aggregation, see Layer 2—LAN Switching Configuration Guide.
Examples
# Configure Twenty-FiveGigE 1/0/1 as a network port.
<Sysname> system-view
[Sysname] interface twenty-fivegige 1/0/1
[Sysname-Twenty-FiveGigE1/0/1] mac-forced-forwarding network-port
Related commands
mac-forced-forwarding
mac-forced-forwarding server
Use mac-forced-forwarding server to specify the IP addresses of servers.
Use undo mac-forced-forwarding server to remove server IP addresses.
Syntax
mac-forced-forwarding server server-ip&<1-10>
undo mac-forced-forwarding server server-ip&<1-10>
Default
No server IP address is specified.
Views
VLAN view
Predefined user roles
network-admin
Parameters
server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses.
Usage guidelines
You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
Server IP addresses can be those of the interfaces on a router in a VRRP group and those of the servers collaborating with MFF, such as a RADIUS server.
When the MFF device receives an ARP request from a server, it searches the IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server.
In this way, packets from the server to a host are not forwarded by the gateway. However, packets from a host to the server are forwarded by the gateway.
MFF does not check whether the IP address of a server is on the same network segment as that of a gateway. Instead, it checks whether the IP address of a server is all-zero or all-one. An all-zero or all-one server IP address is invalid.
Make sure MFF is enabled before you execute the mac-forced-forwarding server command.
Examples
# Specify the server at 192.168.1.100.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding server 192.168.1.100
Related commands
mac-forced-forwarding
