No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of MFF.

MFF Principle

Implementation

Figure 12-30 demonstrates MFF implementation on an Ethernet network where the gateway performs unified network management and accounting. MFF is enabled on the Ethernet Access Node (EAN) so that user traffic passes through the gateway before being forwarded to other users at Layer 3. This isolates users at Layer 2 and implements traffic monitoring and accounting.

MFF uses the proxy ARP mechanism to reduce the number of broadcast packets between the network and users and as a consequence ensures Layer 2 isolation and Layer 3 communication between users. For details about Proxy ARP, see the function implementation.

Figure 12-30 MFF application scenario

Interface Roles

Two types of interfaces are available on an MFF-enabled device: user interface and network interface.

A user interface connects to user terminals and processes different packets as follows:

  • Discards IGMP Query messages and permits other IGMP protocol packets and DHCP packets to pass through.
  • Sends ARP packets to the CPU for processing.
  • Forwards only the unicast packets with the destination address as the gateway MAC address if it has been learned, and discards other packets. The user interface discards the unicast packets with the destination address as the gateway MAC address if it has not been learned.
  • Rejects multicast and broadcast data packets.

A network interface connects to another network device such as an access switch, aggregation switch, or gateway and processes different packets as follows:

  • Permits multicast and DHCP packets to pass through.
  • Sends ARP packets to the CPU for processing.

MFF Functions

MFF provides the following functions: obtaining gateway and user information, proxy ARP, gateway detection, application server access, User online status detection, isolated interface, and MFF security.

  • Obtaining gateway and user information

    Users can be allocated static IP addresses or dynamically obtain IP addresses using DHCP. Accordingly, a MFF-enabled device can obtain a manually configured gateway IP address or dynamically obtain a gateway IP address using DHCP snooping.

    • Manually configured gateway IP address

      If the IP addresses of users are manually assigned, the MFF-enabled device cannot obtain the gateway IP address through DHCP packets; therefore, the gateway IP address needs to be manually configured on the MFF-enabled device. After an IP address is configured for a static gateway (gateway of static users), the MFF-enabled device captures the ARP request packets of online users at the user side to trigger or update the MFF entries carrying user information. If the MFF-enabled device receives an ARP request packet without learning the gateway MAC address, the MFF-enabled device does not forward this ARP request packet. Instead, the MFF-enabled device sends an ARP request packet with the user's IP address and MAC address as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.

    • Gateway IP address dynamically obtained using DHCP snooping

      If the IP addresses of users are dynamically allocated through DHCP, the MFF-enabled device obtains the user's IP address and MAC address from the DHCP snooping table and parses the option 121 or option 3 field in the DHCP ACK packets sent by the network interface to obtain the gateway IP address. The MFF-enabled device then sends an ARP request packet with the user's IP address and MAC address as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.

      The MFF-enabled device uses by default the first gateway MAC address to respond to ARP request packets from users after learning multiple gateway MAC addresses. As a result, ARP request packets are sent to the first gateway.

  • Proxy ARP

    The MFF-enabled device captures the ARP request packets from users, and sends an ARP reply packet with the gateway MAC address as the source MAC address. This ensures that all users map the gateway MAC address to the gateway IP address in their ARP tables so that all the packets from the users are destined for the gateway. The gateway can monitor traffic and perform accounting, and network security is also enhanced.

    When receiving an ARP request packet that a gateway sends to request a user MAC address, the MFF-enabled device responds with the MAC address.

  • Gateway detection

    To detect changes in the gateway MAC address, MFF supports timed gateway detection. After the detection function is enabled, the MFF-enabled device scans recorded gateway information every 30 seconds. For each gateway recorded, the MFF-enabled device uses user information to construct an ARP request packet and sends it to the network interface. The MFF-enabled device then learns the gateway MAC address from the ARP reply packet. If the gateway MAC address changes, the MFF-enabled device immediately updates the gateway information and broadcasts gratuitous ARP packets to users. Users can update the gateway address.

    If no user exists in a VLAN, the MFF-enabled device does not send any ARP request packet to the gateway until a user goes online.

  • Application server access

    In addition to the gateway, a network may deploy application servers such as the DHCP, multicast, or another server, as illustrated in Figure 12-31. When users access an application server whose IP address is not specified on the MFF-enabled device, the MFF-enabled device forwards user traffic to the gateway. The gateway then forwards it to the application server. This increases uplink traffic, consumes bandwidth, and wastes forwarding resources on the gateway.

    To address this problem, specify IP addresses of application servers on the MFF-enabled device and set up a list of them. When receiving an ARP request packet from a user, the MFF-enabled device sends an ARP reply packet with the application server MAC address as the source address. When receiving an ARP request packet from an application server, the MFF-enabled device sends an ARP reply packet with the requested user MAC address. In this way, users directly communicate with application servers at Layer 2.

    Figure 12-31 Accessing the application server on a network

  • User online status detection

    If the gateway performs accounting for users based on the online duration, the gateway must know whether a user is online at a specified moment. By default, a MFF-enabled device always sends ARP reply packets in response to ARP request packets sent from the gateway. As a result, the gateway always considers users online even if they have gone offline. To solve this problem, configure the MFF-enabled device to transparently transmit ARP request packets sent from the gateway to the user. Then the MFF-enabled device does not respond to the ARP packets. If the gateway does not receive the ARP reply packet from a user, the gateway considers that the user has gone offline.

  • Isolated Interface

    In Figure 12-32, UserA and UserB connect to the network through an interface on SwitchB. When UserA sends an ARP request packet to request the MAC address of UserB, the ARP request packet is broadcast to both SwitchB and UserB. If SwitchB sends an ARP reply packet with the gateway MAC address to UserA, UserA receives two ARP reply packets. If the two ARP reply packets conflict, UserA may learn an incorrect ARP entry for UserB. The MFF-enabled device can perform interface consistency check for ARP request packets to solve this problem. If the interface that sends an ARP request packet is the same as the interface connected to the user with the requested address, the MFF-enabled device discards the ARP request packet.

    Figure 12-32 Sharing an access link

    In a data center that deploys server virtualization, multiple virtual machines (VMs) in a physical server may belong to the same VLAN and require Layer 2 isolation. The VMs connect to the same user interface on the MFF-enabled device and share an access link. Services on the VMs are often isolated, so the MFF-enabled device must function as an agent for the VMs and respond to ARP request packets to ensure Layer 3 communication among VMs.

    To address this problem, the MFF-enabled device provides the isolated interface function. After an isolated interface is configured, the MFF-enabled device does not check interface consistency for ARP request packets sent from this interface and consequentially directly responds with ARP reply packets.

  • MFF Security

    A MFF-enabled device may learn information about some users through ARP snooping. If these users send forged ARP request packets to the MFF-enabled device, the MFF-enabled device learns information about a large number of nonexistent users. This wastes device resources and prevents the MFF-enabled device from learning information about authorized users and processing their legitimate services.

    You can disable dynamic user learning for ARP snooping to prevent the MFF-enabled device from learning information about unauthorized users. Another solution is to set the maximum number of users in a VLAN low enough to prevent unauthorized access; this works because the number of DHCP users or static users on a network does not change greatly.

Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 60255

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next