Login
- Table of Contents
-
- 09 Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-SSH commands
- 11-SSL commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-MFF commands
- 15-uRPF commands
- 16-Crypto engine commands
- 17-FIPS commands
- 18-Attack detection and prevention commands
- 19-ND attack defense commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-MFF commands | 74.53 KB |
Contents
display mac-forced-forwarding interface
display mac-forced-forwarding vlan
mac-forced-forwarding gateway probe
mac-forced-forwarding network-port
display mac-forced-forwarding interface
Use display mac-forced-forwarding interface to display MFF port configuration.
Syntax
display mac-forced-forwarding interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display MFF port configuration.
<Sysname> display mac-forced-forwarding interface
Network Port:
FGE1/1/1 FGE1/1/2
User Port:
FGE1/1/3 FGE1/1/4 FGE1/1/5
FGE1/1/6 FGE1/1/7 FGE1/1/8
FGE1/1/9 FGE1/1/10 FGE1/1/11
FGE1/1/11 FGE1/1/12 FGE1/1/13
FGE1/1/14 FGE1/1/15 FGE1/1/16
FGE1/1/17 FGE1/1/18 FGE1/1/19
FGE1/1/20 FGE1/1/21 FGE1/1/22
FGE1/1/23 FGE1/1/24 FGE1/1/25
FGE1/1/26 FGE1/1/27 FGE1/1/28
FGE1/1/29 FGE1/1/30 FGE1/1/31
FGE1/1/32
Table 1 Command output
|
Field |
Description |
|
Network Port |
List of network ports. |
|
User Port |
List of user ports. |
Related commands
mac-forced-forwarding network-port
display mac-forced-forwarding vlan
Use display mac-forced-forwarding vlan to display the MFF configuration for a VLAN.
Syntax
display mac-forced-forwarding vlan vlan-id
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vlan-id: Specifies a VLAN by its number.
Examples
# Display the MFF configuration for VLAN 2.
<Sysname> display mac-forced-forwarding vlan 2
VLAN 2
Mode: Manual/Single
Gateway:
--------------------------------------------------------------------------
192.168.1.42 000f-e200-8046
Server:
--------------------------------------------------------------------------
192.168.1.48 192.168.1.49
Table 2 Command output
|
Field |
Description |
|
ID of the VLAN to which the gateways belong, such as VLAN 2. |
|
|
Mode |
MFF operating mode: manual (Manual), and single-gateway (Single). |
|
Gateway |
IP and MAC addresses of gateways. If no address is learned, this field displays N/A. |
|
Server |
Server IP addresses. |
Related commands
· mac-forced-forwarding
· mac-forced-forwarding server
mac-forced-forwarding
Use mac-forced-forwarding to enable MFF in manual mode and specify a default gateway.
Use undo mac-forced-forwarding to disable MFF.
Syntax
mac-forced-forwarding default-gateway gateway-ip
undo mac-forced-forwarding
Default
MFF is disabled.
Views
VLAN view
Predefined user roles
network-admin
Parameters
default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode.
Usage guidelines
For MFF to take effect in manual mode, make sure ARP snooping is enabled on the device.
For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured. MFF checks for and denies only all-zero and all-one IP addresses as gateway addresses.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable MFF in the manual mode for VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding default-gateway 10.1.1.10
Related commands
mac-forced-forwarding server
mac-forced-forwarding gateway probe
Use mac-forced-forwarding gateway probe to enable periodic gateway MAC address probe.
Use undo mac-forced-forwarding gateway probe to restore the default.
Syntax
mac-forced-forwarding gateway probe
undo mac-forced-forwarding gateway probe
Default
Periodic gateway MAC address probe is disabled.
Views
VLAN view
Predefined user roles
network-admin
Usage guidelines
Make sure you have enabled MFF before enabling periodic gateway MAC address probe.
The probe interval is 30 seconds, and the periodic probe is supported in manual modes.
Examples
# Enable periodic gateway MAC address probe.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding gateway probe
Related commands
mac-forced-forwarding
mac-forced-forwarding network-port
Use mac-forced-forwarding network-port to configure the Ethernet port as a network port.
Use undo mac-forced-forwarding network-port to restore the default.
Syntax
mac-forced-forwarding network-port
undo mac-forced-forwarding network-port
Default
The port is a user port.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Predefined user roles
network-admin
Usage guidelines
You should configure the following ports as network ports:
· Upstream ports connected to a gateway.
· Ports connected to the MFF devices in a cascaded network (a network with multiple MFF devices connected to one another).
· Ports between devices in a ring network.
You can configure multiple ports as network ports.
You can configure a port as a network port regardless of whether MFF is enabled for the VLAN of the port. However, the configuration takes effect only after MFF is enabled.
Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN. To cancel the network port configuration of a link aggregation member port in a MFF-enabled VLAN, remove the network port from the link aggregation group first. For more information about link aggregation, see Layer 2—LAN Switching Configuration Guide.
Examples
# Configure FortyGigE 1/1/1 as a network port.
<Sysname> system-view
[Sysname] interface fortygige 1/1/1
[Sysname-FortyGigE1/1/1] mac-forced-forwarding network-port
Related commands
mac-forced-forwarding
mac-forced-forwarding server
Use mac-forced-forwarding server to specify the IP addresses of servers.
Use undo mac-forced-forwarding server to remove the specified or all server IP addresses.
Syntax
mac-forced-forwarding server server-ip&<1-10>
undo mac-forced-forwarding server server-ip&<1-10>
Default
No server IP address is specified.
Views
VLAN view
Predefined user roles
network-admin
Parameters
server-ip&<1-10>: Specifies a space-separated list of up to 10 server IP addresses.
Usage guidelines
You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
Specify the IP addresses of the following items if they are in the network:
· Servers providing some other service.
· Interfaces on a router in a VRRP group.
When the MFF device receives an ARP request from a server, it searches the IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server. In this way, packets from the server to a host are not forwarded by the gateway. However, packets from a host to the server are forwarded by the gateway.
MFF does not check whether the IP address of a server is on the same network segment as that of a gateway. Instead, it checks whether the IP address of a server is all-zero or all-one. An all-zero or all-one server IP address is invalid.
Make sure MFF is enabled before you execute the mac-forced-forwarding server command.
Examples
# Specify the server at 192.168.1.100.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding server 192.168.1.100
Related commands
mac-forced-forwarding
