Login
- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-SSL commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-uRPF commands
- 15-FIPS commands
- 16-Attack detection and prevention commands
- 17-MACsec commands
- 18-MFF commands
- 19-ND attack defense commands
- 20-Keychain commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-MFF commands | 47.53 KB |
display mac-forced-forwarding interface
display mac-forced-forwarding vlan
mac-forced-forwarding gateway probe
mac-forced-forwarding network-port
MFF commands
display mac-forced-forwarding interface
Use display mac-forced-forwarding interface to display MFF port configuration information.
Syntax
display mac-forced-forwarding interface
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display MFF port configuration information.
<Sysname> display mac-forced-forwarding interface
Network Port:
GigabitEthernet1/0/1 GigabitEthernet1/0/2
User Port:
GigabitEthernet1/0/3 GigabitEthernet1/0/4
Table 1 Command output
|
Field |
Description |
|
Network Port |
List of network ports. |
|
User Port |
List of user ports. |
Related commands
mac-forced-forwarding network-port
display mac-forced-forwarding vlan
Use display mac-forced-forwarding vlan to display the MFF configuration information for a VLAN.
Syntax
display mac-forced-forwarding vlan vlan-id
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
vlan-id: Specifies a VLAN by its number.
Examples
# Display the MFF configuration information for VLAN 2.
<Sysname> display mac-forced-forwarding vlan 2
VLAN 2
Mode: Auto/Single
Gateway:
--------------------------------------------------------------------------
192.168.1.42 000f-e200-8046
Server:
--------------------------------------------------------------------------
192.168.1.48 192.168.1.49
Table 2 Command output
|
Field |
Description |
|
VLAN 2 |
ID of the VLAN to which the gateways belong. |
|
Mode |
MFF operating mode: automatic (Auto), manual (Manual), and single-gateway (Single). |
|
Gateway |
IP and MAC addresses of gateways. If no address is learned, this field displays N/A. |
|
Server |
Server IP addresses. |
Related commands
· mac-forced-forwarding
· mac-forced-forwarding server
mac-forced-forwarding
Use mac-forced-forwarding to enable MFF and specify an MFF operating mode. To enable the manual mode, you must specify a default gateway.
Use undo mac-forced-forwarding to disable MFF.
Syntax
mac-forced-forwarding { auto | default-gateway gateway-ip }
undo mac-forced-forwarding
Default
MFF is disabled.
Views
VLAN view
Predefined user roles
network-admin
mdc-admin
Parameters
auto: Specifies the automatic mode.
default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode.
Usage guidelines
In MFF automatic mode, enable DHCP snooping on the device and configure DHCP snooping trusted ports.
In MFF manual mode, enable ARP snooping on the device.
For a network (or VLAN) with IP addresses manually configured, the gateway IP address must be manually configured. MFF checks for and denies only all-zero and all-one IP addresses as gateway addresses.
For a network (or VLAN) that allocates IP addresses to hosts through DHCP, the gateway IP address can be obtained in either of the following ways:
· Configured manually.
· Resolved from the Option field in the DHCP messages.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable MFF in the automatic mode for VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding auto
Related commands
mac-forced-forwarding server
mac-forced-forwarding gateway probe
Use mac-forced-forwarding gateway probe to enable periodic gateway MAC address probe.
Use undo mac-forced-forwarding gateway probe to restore the default.
Syntax
mac-forced-forwarding gateway probe
undo mac-forced-forwarding gateway probe
Default
Periodic gateway MAC address probe is disabled.
Views
VLAN view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Make sure you have enabled MFF before enabling periodic gateway MAC address probe.
The probe interval is 30 seconds, and the periodic probe is supported in both manual and automatic modes.
Examples
# Enable periodic gateway MAC address probe.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding gateway probe
Related commands
mac-forced-forwarding
mac-forced-forwarding network-port
Use mac-forced-forwarding network-port to configure the Ethernet port as a network port.
Use undo mac-forced-forwarding network-port to restore the default.
Syntax
mac-forced-forwarding network-port
undo mac-forced-forwarding network-port
Default
The Ethernet port is a user port.
Views
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
You should configure the following ports as network ports:
· Upstream ports connected to a gateway.
· Ports connected to the MFF devices in a cascaded network (a network with multiple MFF devices connected to one another).
· Ports between devices in a ring network.
You can configure multiple ports as network ports.
You can configure a port as a network port regardless of whether MFF is enabled for the VLAN of the port. However, the configuration takes effect only after MFF is enabled.
Link aggregation is supported by network ports in an MFF-enabled VLAN, but is not supported by user ports in the VLAN. To cancel the network port configuration of a link aggregation member port in a MFF-enabled VLAN, remove the network port from the link aggregation group first. For more information about link aggregation, see Layer 2—LAN Switching Configuration Guide.
Examples
# Configure GigabitEthernet 1/0/1 as a network port.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-forced-forwarding network-port
Related commands
mac-forced-forwarding
mac-forced-forwarding server
Use mac-forced-forwarding server to specify the IP addresses of servers.
Use undo mac-forced-forwarding server to remove server IP addresses.
Syntax
mac-forced-forwarding server server-ip&<1-10>
undo mac-forced-forwarding server server-ip&<1-10>
Default
No server IP address is specified.
Views
VLAN view
Predefined user roles
network-admin
mdc-admin
Parameters
server-ip&<1-10>: Specifies the IP address of a server in the network. &<1-10> means you can specify a maximum of 10 server IP addresses in one command line.
Usage guidelines
You need to maintain a server list on the MFF device to ensure communication between the servers and clients.
Specify the IP addresses of the following items if they are in the network:
· DHCP servers.
· Servers providing some other service.
· Interfaces on a router in a VRRP group.
When the MFF device receives an ARP request from a server, it searches the IP-to-MAC address entries it has stored. Then the device replies with the requested MAC address to the server.
In this way, packets from the server to a host are not forwarded by the gateway. However, packets from a host to the server are forwarded by the gateway.
MFF does not check whether the IP address of a server is on the same network segment as that of a gateway. Instead, it checks whether the IP address of a server is all-zero or all-one. An all-zero or all-one server IP address is invalid.
You can use this command in either manual or automatic MFF mode.
Make sure MFF is enabled before you execute the mac-forced-forwarding server command.
Examples
# Specify the server at 192.168.1.100.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-forced-forwarding server 192.168.1.100
Related commands
mac-forced-forwarding
