No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MFF

Configuring MFF

MFF isolates users at Layer 2 and connects users at Layer 3 in a broadcast domain.

Pre-configuration Tasks

If user IP addresses are assigned dynamically, before you configure basic MFF functions, complete the following tasks:

  • Enabling DHCP snooping
  • Configuring the trusted interface of DHCP snooping

Enabling Global MFF

Context

You can perform other MFF configurations only after enabling global MFF.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-forced-forwarding enable

    Global MFF is enabled.

    By default, global MFF is disabled.

  3. Run:

    commit

    The configuration is committed.

Configuring a Network Interface

Context

To make MFF in a VLAN effective, ensure that at least one network interface belongs to the VLAN. Therefore, configure network interfaces for MFF.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The view of the interface connected to a network device is displayed.

  3. Run:

    mac-forced-forwarding network-port

    The interface is configured as a network interface.

    By default, an interface is a user interface.

  4. Run:

    commit

    The configuration is committed.

Enabling MFF in a VLAN

Context

You can perform other MFF configurations in a VLAN only after enabling MFF in the VLAN.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-forced-forwarding enable

    MFF is enabled in the VLAN.

    By default, MFF is disabled in a VLAN.

    NOTE:

    MFF cannot be enabled in a VLAN where the Super VLAN, Sub-VLAN, MUX VLAN, TRILL VLAN, TRILL CE VLAN, VLANIF interface, ARP fast reply, or Egress ARP Inspection (EAI) is configured.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring a Static Gateway Address

Context

The static gateway is applicable when users have static IP addresses. When users are assigned IP addresses statically, the MFF-enabled device cannot dynamically obtain gateway information through DHCP packets. In this case, configure a static gateway address for each VLAN.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-forced-forwarding static-gateway ip-address

    A static gateway IP address is configured.

    By default, no static gateway IP address is configured in a VLAN.

  4. Run:

    commit

    The configuration is committed.

(Optional) Enabling Timed Gateway Detection

Context

On a practical network, services may be interrupted for a long time because the MFF-enabled device cannot immediately detect the gateway MAC address change. Timed gateway detection can solve this problem. After the detection function is enabled, the MFF-enabled device scans recorded gateway information every 30 seconds. For each gateway recorded, the MFF-enabled device uses user information to construct an ARP request packet and sends it to the network interface. The MFF-enabled device then learns the gateway MAC address from the ARP reply packet. If the gateway MAC address changes, the MFF-enabled device immediately updates the gateway information and broadcasts gratuitous ARP packets to users. Users can update the gateway address.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-forced-forwarding gateway-detect

    Timed gateway detection is enabled.

    By default, timed gateway detection is disabled.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring the Application Server IP Address

Context

In addition to the gateway, application servers such as the DHCP, multicast, or another server may be deployed on a network. When users access an application server whose IP address is not specified on the MFF-enabled device, the MFF-enabled device forwards the traffic to the gateway. The gateway then forwards it to the application server. This increases uplink traffic, consumes bandwidth, and wastes forwarding resources on the gateway.

To address this problem, specify IP addresses of accessible application servers on the MFF-enabled device. MFF provides a mechanism that is similar to ARP proxy to process such traffic, so users can correctly access all the specified application servers and directly communicate with application servers at Layer 2.

Procedure
  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-forced-forwarding server server-ip & <1–16>

    The application server IP address is configured.

    By default, no application server IP address is configured.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring the Switch Module to Transparently Transmit ARP Request Packets

Context

In MFF networking, if the gateway performs accounting for users based on the online duration, the gateway must know whether a user is online at a specified moment. By default, the MFF-enabled device sends ARP reply packets in response to ARP request packets sent from the gateway. The MFF-enabled device can always send ARP reply packets as long as the MFF entry is not aged out. As a result, the gateway always considers users online even if they have gone offline.

To solve this problem, configure the MFF-enabled device to transparently transmit ARP request packets sent from the gateway to the user. Then the MFF-enabled device does not respond to the ARP packets. If the gateway does not receive the ARP reply packet from a user, the gateway considers that the user has gone offline. The gateway can monitor the user status in a timely manner and correctly perform accounting.

Procedure
  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-forced-forwarding user-detect transparent

    The Switch Module is configured to transparently transmit ARP request packets.

    By default, the Switch Module does not transparently transmit ARP request packets.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring an Isolated Interface

Context

In data center server virtualization scenarios, multiple virtual machines (VMs) in a physical server may belong to the same VLAN and require Layer 2 isolation. The VMs connect to the same user interface on the MFF-enabled device. Services on the VMs are often isolated, so the MFF-enabled device must respond to ARP request packets. If the MFF-enabled device does not respond to ARP request packets, VMs cannot communicate at Layer 3.

MFF provides the isolated interface to address this issue. After an isolated interface is configured, the MFF-enabled device does not check interface consistency in ARP request packets sent by users. Instead, the MFF-enabled device directly responds to the ARP request packets.

Procedure
  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    mac-forced-forwarding user-isolate-port

    The interface is configured as an isolated interface.

  4. Run:

    commit

    The configuration is committed.

(Optional) Configuring MFF Security

Context

In MFF networking, the Switch Module may dynamically learn user information using ARP snooping. If these users forge ARP request packets, the Switch Module learns incorrect user information. This wastes device resources, and the Switch Module fails to learn information about authorized users and to process their legitimate services.

You can disable dynamic user learning of ARP snooping so that the Switch Module does not learn information about unauthorized users, or set the maximum number of users in a VLAN because the number of DHCP users or static users is often fixed.

NOTE:
  • MFF supports the following users: users dynamically learned by the Switch Module using DHCP snooping, users matching static binding entries, and users learned by the Switch Module using ARP snooping
  • Before disabling dynamic user learning, the Switch Module has dynamically learned users using DHCP snooping or users matching static binding entries.
Procedure
  • Disabling dynamic user learning

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-forced-forwarding learning dynamic-user disable

      Dynamic user learning is disabled in the VLAN.

      By default, dynamic user learning is enabled.

    4. Run:

      commit

      The configuration is committed.

  • Setting the maximum number of users

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-forced-forwarding max-user max-user-number

      The maximum number of users in the VLAN is set.

      By default, the maximum number of users is not set.

    4. Run:

      commit

      The configuration is committed.

Checking the Configuration

Procedure

  • Run the display mac-forced-forwarding network-port command to check the MFF network interface.
  • Run the display mac-forced-forwarding vlan vlan-id command to check the MFF configuration in the VLAN.
  • Run the display mac-forced-forwarding user-isolate-port command to check the MFF isolated interface.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57175

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next