No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


This section describes the definition, background, and functions of MFF.


MAC-Forced Forwarding (MFF) isolates users at Layer 2 and allows users to communicate with each other at Layer 3 in a broadcast domain.

MFF uses proxy Address Resolution Protocol (ARP) to capture ARP request packets from users and to send ARP reply packets with a gateway MAC address to users. All traffic is sent to the gateway to implement Layer 2 isolation and Layer 3 communication.


In many scenarios, the gateway monitors data traffic and isolates users.

Layer 2 isolation and Layer 3 communication between users can be implemented using Virtual Local Area Networks (VLANs), but this method has the following disadvantages:

  • Layer 2 isolation of multiple users requires a large number of VLANs.
  • Layer 3 communication requires that each VLAN be assigned an IP network segment and each VLANIF interface have an IP address. This wastes IP addresses.

Because MFF implements Layer 2 isolation and Layer 3 communication among users, it takes advantage of Ethernet broadcast domains and conserves IP addresses and VLANs. It also ensures that all traffic including traffic in the same subnet is sent to the gateway where data traffic can be monitored and malicious attacks between users prevented.


If the MFF module on the MFF-enabled device processes many ARP packets destined for other devices, the CPU burden is heavy. To solve the problem, configure ARP packet rate limiting globally, in a VLAN, or on an interface. For details, see Configuring Rate Limit on ARP Packets Globally, in a VLAN, or on an Interface.


  • Implements Layer 2 isolation and prevents malicious attacks.
  • Implements Layer 3 communication and enables the gateway to perform accounting.
  • Provides more stable services on a more secure network.
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57195

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next