Overview

MAC-forced forwarding (MFF) implements Layer 2 isolation and Layer 3 communication between hosts in the same broadcast domain.

An MFF enabled device intercepts ARP requests and returns the MAC address of a gateway (or server) to the senders. In this way, the senders are forced to send packets to the gateway for traffic monitoring and attack prevention.

Figure 128: Network diagram for MFF

As shown in Figure 128, hosts are connected to Switch C (aggregation node) through Switch A and Switch B (Ethernet access nodes). The MFF enabled EANs forward packets from the hosts to the gateway for further forwarding. The hosts, isolated at Layer 2, can communicate at Layer 3 without knowing the MAC address of each other.

MFF works with any of the following features to implement traffic filtering, Layer 2 isolation, and Layer 3 communication on the access switches:


[NOTE: ]

NOTE:

An MFF-enabled device and a host cannot ping each other.