No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides several configuration examples of MFF.

Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection of Users

Networking Requirements

As shown in Figure 12-34, a department of an enterprise uses SwitchA and SwitchB as the access devices of users, and SwitchC functions as the aggregation device. The administrator requires that users in VLAN 10 be isolated on the access device and communicate with each other through gateway. This allows the gateway to monitor user traffic. When a large number of users exist on the network, a DHCP server is deployed on the network to allocate IP addresses to the users. Forwarding too many traffic between the application server and users will cause the gateway to overload. Therefore, the administrator configures the application server (DHCP server) to transparently transmit user traffic.

Figure 12-34 Networking diagram for MFF configuration
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure DHCP snooping on SwitchA and SwitchB to provide dynamic user information such as IP address, MAC address, and VLAN to implement Layer 2 isolation and Layer 3 connection.

  2. Configure MFF on SwitchA and SwitchB to redirect user traffic to the gateway so that users are isolated at Layer 2 and communicate with each other at Layer 3 and the gateway can monitor user traffic.

  3. Configure the DHCP server address on SwitchA and SwitchB so that traffic from the DHCP server to users can be transparently transmitted at Layer 2. The load on gateway is relieved.

  4. Configure transparent transmission of ARP request packets on SwitchA and SwitchB so that the gateway can detect the user status immediately.

Procedure

  1. Create VLANs and add interfaces to the VLANs.

    # Create VLAN 10 on Switch ModuleA and add interfaces 10GE1/17/1, 10GE1/17/2, and 10GE1/17/3 to VLAN 10.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 10
    [*SwitchA] interface 10ge 1/17/1
    [*SwitchA-10GE1/17/1] port link-type access
    [*SwitchA-10GE1/17/1] port default vlan 10
    [*SwitchA-10GE1/17/1] quit
    
    [*SwitchA] interface 10ge 1/17/2
    [*SwitchA-10GE1/17/2] port link-type access
    [*SwitchA-10GE1/17/2] port default vlan 10
    [*SwitchA-10GE1/17/2] quit
    
    [*SwitchA] interface 10ge 1/17/3
    [*SwitchA-10GE1/17/3] port link-type trunk
    [*SwitchA-10GE1/17/3] port trunk allow-pass vlan 10
    [*SwitchA-10GE1/17/3] quit
    

    # Create VLAN 10 on Switch ModuleB and add interfaces 10GE1/17/1, 10GE1/17/2, and 10GE1/17/3 to VLAN 10.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB
    [*HUAWEI] commit
    [~SwitchB] vlan batch 10
    [*SwitchB] interface 10ge 1/17/1
    [*SwitchB-10GE1/17/1] port link-type access
    [*SwitchB-10GE1/17/1] port default vlan 10
    [*SwitchB-10GE1/17/1] quit
    
    [*SwitchB] interface 10ge 1/17/2
    [*SwitchB-10GE1/17/2] port link-type access
    [*SwitchB-10GE1/17/2] port default vlan 10
    [*SwitchB-10GE1/17/2] quit
    
    [*SwitchB] interface 10ge 1/17/3
    [*SwitchB-10GE1/17/3] port link-type trunk
    [*SwitchB-10GE1/17/3] port trunk allow-pass vlan 10
    [*SwitchB-10GE1/17/3] quit
    

  2. Configure DHCP snooping.

    # Enable global DHCP snooping on SwitchA.

    [*Switch ModuleA] dhcp enable
    [*Switch ModuleA] dhcp snooping enable

    # All users are in VLAN 10, so enable DHCP snooping for VLAN 10 on Switch ModuleA.

    [*SwitchA] vlan 10
    [*SwitchA-vlan10] dhcp snooping enable
    [*SwitchA-vlan10] quit
    

    # Configure 10GE1/17/3 on SwitchA as the trusted interface.

    [*SwitchA] interface 10ge 1/17/3 
    [*SwitchA-10GE1/17/3] dhcp snooping trusted
    [*SwitchA-10GE1/17/3] quit

    # Enable global DHCP snooping on SwitchB.

    [*Switch ModuleB] dhcp enable
    [*Switch ModuleB] dhcp snooping enable

    # All users are in VLAN 10, so enable DHCP snooping for VLAN 10 on Switch ModuleB.

    [*SwitchB] vlan 10
    [*SwitchB-vlan10] dhcp snooping enable
    [*SwitchB-vlan10] quit
    

    # Configure 10GE1/17/3 on SwitchB as the trusted interface.

    [*SwitchB] interface 10ge 1/17/3 
    [*SwitchB-10GE1/17/3] dhcp snooping trusted
    [*SwitchB-10GE1/17/3] quit

  3. Configure basic MFF functions.

    # Enable global MFF on SwitchA.

    [*SwitchA] mac-forced-forwarding enable

    # Configure 10GE1/17/3 on SwitchA as a network interface.

    [*SwitchA] interface 10ge 1/17/3
    [*SwitchA-10GE1/17/3] mac-forced-forwarding network-port
    [*SwitchA-10GE1/17/3] quit

    # Enable MFF in VLAN 10 on SwitchA.

    [*SwitchA] vlan 10
    [*SwitchA-vlan10] mac-forced-forwarding enable

    # Configure timed gateway detection on SwitchA.

    [*SwitchA-vlan10] mac-forced-forwarding gateway-detect

    # Enable global MFF on SwitchB.

    [*SwitchB] mac-forced-forwarding enable

    # Configure 10GE1/17/3 on SwitchB as a network interface.

    [*SwitchB] interface 10ge 1/17/3
    [*SwitchB-10GE1/17/3] mac-forced-forwarding network-port
    [*SwitchB-10GE1/17/3] quit

    # Enable MFF in VLAN 10 on SwitchB.

    [*SwitchB] vlan 10
    [*SwitchB-vlan10] mac-forced-forwarding enable

    # Configure timed gateway detection on SwitchB.

    [*SwitchB-vlan10] mac-forced-forwarding gateway-detect

  4. Set the application server IP address.

    # Set the application server IP address on SwitchA.

    [*SwitchA-vlan10] mac-forced-forwarding server 10.1.1.2

    # Set the application server IP address on SwitchB.

    [*SwitchB-vlan10] mac-forced-forwarding server 10.1.1.2

  5. Configure transparent transmission of ARP request packets.

    # Configure SwitchA to transparently transmit ARP request packets.

    [*SwitchA-vlan10] mac-forced-forwarding user-detect transparent
    [*SwitchA-vlan10] quit
    [*SwitchA] commit
    [~SwitchA] quit

    # Configure SwitchB to transparently transmit ARP request packets.

    [*SwitchB-vlan10] mac-forced-forwarding user-detect transparent
    [*SwitchB-vlan10] quit
    [*SwitchB] commit
    [~SwitchB] quit

  6. Verify the configuration.

    # Run the display mac-forced-forwarding vlan 10 command to view the MFF configuration in VLAN 10.

    <SwitchB> display mac-forced-forwarding vlan 10
    Flags: S - static, D - dynamic      
    ---------------------------------------------------------------------------     
    Gateway detect         : enable                                                 
    Dynamic user learning  : enable                                                 
    User-detect transparent: enable                                                 
    Static gateway         : -                                                      
    Max user               : -                                                      
    Servers                : 10.1.1.2
                     
    ---------------------------------------------------------------------------
    Gateway IP      Gateway MAC
    ---------------------------------------------------------------------------
    10.1.1.1       3867-9a11-0111  
    10.1.1.2       3867-9a11-0112  
    ---------------------------------------------------------------------------
                                     
    ---------------------------------------------------------------------------
    User IP         User MAC        Gateway IP      Interface             Flags 
    ---------------------------------------------------------------------------
    10.1.1.10      0001-0001-0002   10.1.1.1       10GE1/17/2              D 
    ---------------------------------------------------------------------------
    MFF host total count = 1

    # After the gateway interface connected to SwitchC is shut down, users in VLAN 10 cannot ping each other. After the gateway interface is recovered, users can ping each other. This indicates that the users are isolated at Layer 2 and communicate with each other at Layer 3. The MFF function takes effect.

Configuration Files
  • Configuration file of SwitchA

    #
    sysname SwitchA
    #
    vlan batch 10
    #
    mac-forced-forwarding enable
    #
    dhcp enable
    #
    dhcp snooping enable
    #
    vlan 10
     dhcp snooping enable  
     mac-forced-forwarding enable
     mac-forced-forwarding user-detect transparent
     mac-forced-forwarding gateway-detect
     mac-forced-forwarding server 10.1.1.2
    #
    interface 10GE1/17/1
     port default vlan 10
    #
    interface 10GE1/17/2
     port default vlan 10
    #
    interface 10GE1/17/3
     port link-type trunk
     port trunk allow-pass vlan 10
     mac-forced-forwarding network-port
     dhcp snooping trusted
    #
    return
  • Configuration file of SwitchB

    #
    sysname SwitchB
    #
    vlan batch 10 
    #
    mac-forced-forwarding enable
    #
    dhcp enable
    #
    dhcp snooping enable
    #
    vlan 10
     dhcp snooping enable  
     mac-forced-forwarding enable
     mac-forced-forwarding user-detect transparent
     mac-forced-forwarding gateway-detect
     mac-forced-forwarding server 10.1.1.2
    #
    interface 10GE1/17/1
     port default vlan 10
    #
    interface 10GE1/17/2
     port default vlan 10
    #
    interface 10GE1/17/3
     port link-type trunk
     port trunk allow-pass vlan 10
     mac-forced-forwarding network-port
     dhcp snooping trusted
    #
    return
    
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 58067

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next