Overview
MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain.
An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.
Figure 128: Network diagram for MFF
As shown in Figure 128, hosts are connected to Switch C (aggregation node) through Switch A and Switch B (Ethernet access nodes). The MFF enabled EANs forward packets from the hosts to the gateway for further forwarding. The hosts, isolated at Layer 2, can communicate at Layer 3 without knowing the MAC address of each other.
MFF works with any of the following features to implement traffic filtering, Layer 2 isolation, and Layer 3 communication on the access switches:
DHCP snooping (see Layer 3—IP Services Configuration Guide)
ARP snooping (see Layer 3—IP Services Configuration Guide)
IP Source Guard (see "Configuring IP source guard)
ARP detection (see "Configuring ARP attack protection")
VLAN mapping (see Layer 2—LAN Switching Configuration Guide)
NOTE: An MFF-enabled device and a host cannot ping each other. | ||