09-Security Command Reference

HomeSupportResource CenterH3C S6850 & S9850 Switch Series Command References-Release 655x-6W10009-Security Command Reference
21-MFF commands
Title Size Download
21-MFF commands 46.45 KB

MFF commands

display mac-forced-forwarding interface

Use display mac-forced-forwarding interface to display MFF port configuration.

Syntax

display mac-forced-forwarding interface

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display MFF port configuration.

<Sysname> display mac-forced-forwarding interface

Network Port:

WGE1/0/1                  WGE1/0/2

User Port:

WGE1/0/3                  WGE1/0/4                  WGE1/0/5

...

Table 1 Command output

Field

Description

Network Port

List of network ports.

User Port

List of user ports.

 

Related commands

mac-forced-forwarding network-port

display mac-forced-forwarding vlan

Use display mac-forced-forwarding vlan to display the MFF configuration for a VLAN.

Syntax

display mac-forced-forwarding vlan vlan-id

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vlan-id: Specifies a VLAN by its ID.

Examples

# Display the MFF configuration for VLAN 2.

<Sysname> display mac-forced-forwarding vlan 2

VLAN 2

Gateway:

--------------------------------------------------------------------------

192.168.1.42         000f-e200-8046

Server:

--------------------------------------------------------------------------

192.168.1.48         192.168.1.49

Table 2 Command output

Field

Description

VLAN 2

ID of the VLAN to which the gateways belong.

Gateway

IP and MAC addresses of gateways. If no address is learned, this field displays N/A.

Server

Server IP addresses.

 

Related commands

mac-forced-forwarding

mac-forced-forwarding server

mac-forced-forwarding

Use mac-forced-forwarding to enable MFF and specify the default gateway.

Use undo mac-forced-forwarding to disable MFF.

Syntax

mac-forced-forwarding default-gateway gateway-ip

undo mac-forced-forwarding

Default

MFF is disabled.

Views

VLAN view

Predefined user roles

network-admin

Parameters

default-gateway gateway-ip: Specifies the IP address of the default gateway.

Usage guidelines

For MFF to take effect, make sure ARP snooping is enabled on the VLAN where MFF is enabled.

For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured. MFF checks for and denies only all-zero and all-one gateway IP addresses.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable MFF for VLAN 2 and specify the IP address of the default gateway.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] mac-forced-forwarding default-gateway 1.1.1.1

Related commands

mac-forced-forwarding server

mac-forced-forwarding gateway probe

Use mac-forced-forwarding gateway probe to enable periodic gateway probe.

Use undo mac-forced-forwarding gateway probe to disable periodic gateway probe.

Syntax

mac-forced-forwarding gateway probe

undo mac-forced-forwarding gateway probe

Default

Periodic gateway probe is disabled.

Views

VLAN view

Predefined user roles

network-admin

Usage guidelines

Make sure you have enabled MFF before enabling periodic gateway probe. The probe interval is 30 seconds.

Examples

# Enable periodic gateway probe.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] mac-forced-forwarding gateway probe

Related commands

mac-forced-forwarding

mac-forced-forwarding network-port

Use mac-forced-forwarding network-port to configure the Ethernet port as a network port.

Use undo mac-forced-forwarding network-port to restore the default.

Syntax

mac-forced-forwarding network-port

undo mac-forced-forwarding network-port

Default

The Ethernet port is a user port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

You should configure the following ports as network ports:

·          Upstream ports connected to a gateway.

·          Ports connected to the MFF devices in a cascaded network (a network with multiple MFF devices connected to one another).

·          Ports between devices in a ring network.

You can configure multiple ports as network ports.

You can configure a port as a network port regardless of whether MFF is enabled for the VLAN of the port. However, the configuration takes effect only after MFF is enabled.

Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN. To cancel the network port configuration of a link aggregation member port in a MFF-enabled VLAN, remove the network port from the link aggregation group first. For more information about link aggregation, see Layer 2—LAN Switching Configuration Guide.

Examples

# Configure Twenty-FiveGigE 1/0/1 as a network port.

<Sysname> system-view

[Sysname] interface twenty-fivegige 1/0/1

[Sysname-Twenty-FiveGigE1/0/1] mac-forced-forwarding network-port

Related commands

mac-forced-forwarding

mac-forced-forwarding server

Use mac-forced-forwarding server to specify the IP addresses of servers.

Use undo mac-forced-forwarding server to remove server IP addresses.

Syntax

mac-forced-forwarding server server-ip&<1-10>

undo mac-forced-forwarding server server-ip&<1-10>

Default

No server IP address is specified.

Views

VLAN view

Predefined user roles

network-admin

Parameters

server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses.

Usage guidelines

You need to maintain a server list on the MFF device to ensure communication between the servers and clients.

Server IP addresses can be those of the interfaces on a router in a VRRP group and those of the servers collaborating with MFF, such as a RADIUS server.

When the MFF device receives an ARP request from a server, it searches the IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server.

In this way, packets from the server to a host are not forwarded by the gateway. However, packets from a host to the server are forwarded by the gateway.

MFF does not check whether the IP address of a server is on the same network segment as that of a gateway. Instead, it checks whether the IP address of a server is all-zero or all-one. An all-zero or all-one server IP address is invalid.

Make sure MFF is enabled before you execute the mac-forced-forwarding server command.

Examples

# Specify the server at 192.168.1.100.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] mac-forced-forwarding server 192.168.1.100

Related commands

mac-forced-forwarding