No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MFF Configuration Commands

MFF Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display mac-forced-forwarding

Function

The display mac-forced-forwarding command displays the MFF configuration.

Format

display mac-forced-forwarding { network-port | vlan vlan-id }

Parameters

Parameter Description Value
network-port Displays network interface information. -
vlan vlan-id Displays the MFF configuration in a specified VLAN. The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display mac-forced-forwarding command displays the MFF network interface information and MFF configuration in a specified VLAN.

NOTE:

When the user-bind static command is executed to configure a static binding entry for a non-DHCP user, at least ip-address and vlan vlan-id [ ce-vlan ce-vlan-id ] must be specified. In this case, the MFF entry that has the same IP address and VLAN ID as the static binding entry can be deleted when the static binding entry is deleted.

Example

# Display information about the MFF network interface.

<HUAWEI> display mac-forced-forwarding network-port
--------------------------------------------------------------------------------
VLAN ID                  Network-ports
--------------------------------------------------------------------------------
VLAN 10                  GigabitEthernet2/0/0
                         GigabitEthernet2/0/1
                         GigabitEthernet2/0/2
                         GigabitEthernet2/0/3
VLAN 100                 GigabitEthernet3/0/10
                         GigabitEthernet3/0/15
                                                
Table 14-37  Description of the display mac-forced-forwarding network-port command output

Item

Description

VLAN ID

ID of the VLAN that the network interface belongs to.

Network-ports

Network interface.

# Display the MFF configuration in VLAN 100.

<HUAWEI> display mac-forced-forwarding vlan 100
[Vlan 100] MFF host total count = 3 
--------------------------------------------------------------------------------
Servers         192.168.1.2
                192.168.1.3
--------------------------------------------------------------------------------
User IP         User MAC             Gateway IP        Gateway MAC
--------------------------------------------------------------------------------
192.168.1.10    0001-0001-0001       192.168.1.254     0002-0002-0001
192.168.1.11    0001-0001-0002       192.168.1.254     0002-0002-0001
192.168.1.12    0001-0001-0003       192.168.1.252     0002-0002-0003
--------------------------------------------------------------------------------
Table 14-38  Description of the display mac-forced-forwarding vlan command output

Item

Description

MFF host total count

Number of users in VLAN 100.

Servers

IP addresses of servers in VLAN 100.

User IP

IP addresses of users in VLAN 100.

User MAC

MAC addresses of users in VLAN 100.

Gateway IP

Gateway IP address.

Gateway MAC

Gateway MAC address.

mac-forced-forwarding arp-trigger

Function

The mac-forced-forwarding arp-trigger command enables an EAN to add or update an MFF entry when receiving an ARP packet from a user.

The mac-forced-forwarding arp-trigger command disables an EAN from adding or updating an MFF entry when receiving an ARP packet from a user.

By default, the EAN does not add or update an MFF entry when receiving an ARP packet from a user.

Format

mac-forced-forwarding arp-trigger

undo mac-forced-forwarding arp-trigger

Parameters

N/A

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a data center, users and virtual machine (VM) servers are isolated at Layer 2 on EAN devices using MFF. If a VM connects to another EAN and does not send DHCP request packets after migrating between servers, the backup binding table may exist on the new EAN device and the original EAN may still reserve the MFF entry. This cannot ensure security of Layer 2 isolation and Layer 3 communication between users and servers. Run the mac-forced-forwarding arp-trigger command on the new EAN to enable it to check binding entries when receiving an ARP packet from the user. If an entry matches the user, the EAN updates the MFF entry. If no entry matches the user, the EAN adds a new entry. The EAN broadcasts the ARP packet to all network interfaces when receiving the first ARP packet regardless of whether the user entry exists.

Prerequisite

MFF has been enabled in the system view and VLAN view using the mac-forced-forwarding enable command.

Example

# Enable the EAN to add or update the MFF entries when receiving an ARP packet from a user in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding arp-trigger

mac-forced-forwarding dumb-terminal-compatible

Function

The mac-forced-forwarding dumb-terminal-compatible command configures a device to forward the ARP packets from the gateway to dumb terminals.

The undo mac-forced-forwarding dumb-terminal-compatible command disables a device from forwarding the ARP packets from the gateway to dumb terminals.

By default, a device does not forward the ARP packets from gateway to dumb terminals.

Format

mac-forced-forwarding dumb-terminal-compatible

undo mac-forced-forwarding dumb-terminal-compatible

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the MFF device connects to dumb terminals (which do not actively send ARP request packets or send ARP request packets at a long interval), the MFF device must transparently transmit the ARP packets from gateway to dumb terminals after the MFF entries are aged out; otherwise, the user ARP entries on gateway are aged out and user services are interrupted. Therefore, when the MFF device connects to dumb terminals, the MFF device needs to be configured to transparently transmit the ARP packets from gateway to dumb terminals.

Prerequisites

Global MFF has been enabled using the mac-forced-forwarding enable command.

Precautions

After the MFF device is configured to transparently transmit ARP packets to dumb terminals, run the mac-forced-forwarding static-gateway command to configure an IP address for the static gateway; otherwise, this function does not take effect.

After this function is enabled, the MFF device searches the static binding table when receiving ARP request packets from the gateway (configured using the user-bind static command):
  • If the outbound interface is found in the static binding table, the device forwards the ARP request packets through this interface.
  • If the outbound interface is not found in the static binding table, the device broadcasts the ARP request packets in the VLAN. In this situation, all users in the VLAN can receive the ARP packets.

Example

# Configure a device to transparently transmit ARP packets from gateway to dumb terminals in VLAN 100.

<HUAWEI> system-view
[HUAWEI] mac-forced-forwarding enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding dumb-terminal-compatible

mac-forced-forwarding enable

Function

The mac-forced-forwarding enable command enables MFF.

The undo mac-forced-forwarding enable command disables MFF.

By default, MFF is disabled.

Format

mac-forced-forwarding enable

undo mac-forced-forwarding enable

Parameters

None

Views

System view, VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Many networks require that the gateway monitor data traffic and isolate users. MFF isolates users at Layer 2 and connects users at Layer 3 on the same network segment. MFF enables traffic to be forwarded through the gateway. This implements traffic monitoring and accounting and ensures network security.

Precautions

You can run the mac-forced-forwarding enable command in the VLAN view and perform other configurations only after you enable MFF globally in the system view.

After MFF is disabled in the system view, other MFF configurations are automatically deleted.

MFF cannot be enabled in a VLAN where the super VLAN or VLANIF interface is configured.

MFF cannot be enabled in a sub-VLAN where the super VLAN and VLANIF interface are configured.

The MFF function is implemented based on ARP proxy, whereas the EAI function is implemented based on ARP request packet forwarding. Therefore, the two functions conflict with each other. If you have enabled both MFF and EAI in the same VLAN, the MFF function takes effect.

NOTE:

When you enable MFF, if ACL resources are insufficient, the MFF function does not take effect.

MFF cannot be configured in the super-VLAN.

When DHCP relay is configured in a super VLAN, MFF cannot be enabled in its sub-VLANs.

Example

# Enable MFF in VLAN 100.

<HUAWEI> system-view
[HUAWEI] mac-forced-forwarding enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable

mac-forced-forwarding gateway-detect

Function

The mac-forced-forwarding gateway-detect command enables timed gateway detection and sets the gateway detection interval.

The undo mac-forced-forwarding gateway-detect command disables timed gateway detection.

By default, timed gateway detection is enabled and the default gateway detection interval is 30s.

Format

mac-forced-forwarding gateway-detect [ interval interval-time ]

undo mac-forced-forwarding gateway-detect

Parameters

Parameter

Description

Value

interval interval-time

Indicates the gateway detection interval.

The value is an integer that ranges from 30 to 17280, in seconds.

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a practical network, services may be interrupted for a long time because the MFF-enabled device cannot immediately detect the gateway MAC address change. Timed gateway detection can solve this problem. After the detection function is enabled (enabled by default), the MFF-enabled device scans recorded gateway information every interval-time seconds. For each gateway recorded, the MFF-enabled device uses user information to construct an ARP request packet and sends it to the network interface. The MFF-enabled device then learns the gateway MAC address from the ARP reply packet. If the gateway MAC address changes, the MFF-enabled device immediately updates the gateway information and broadcasts gratuitous ARP packets to users. Users can update the gateway address.

Prerequisites

MFF has been enabled in a VLAN using the mac-forced-forwarding enable command.

Precautions

When detecting multiple gateway addresses, the MFF-enabled device sends an ARP reply packet with the first gateway address by default.

After MFF is enabled, timed gateway detection does not take effect if no ARP request packet is received from the user or gateway or if no user is authorized by the DHCP server to access the network.

If a gateway fails, traffic between users will be blocked. To avoid this situation, the device considers a gateway invalid if it does not receive a response from the gateway after five detection attempts. The device then deletes the MAC address entry of the invalid gateway.If the gateway detection interval is changed during a detection, the number of detection times is accumulated.

Example

# Enable timed gateway detection in VLAN 10.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding enable
[HUAWEI-vlan10] mac-forced-forwarding gateway-detect

mac-forced-forwarding igmp-query discard

Function

The mac-forced-forwarding igmp-query discard command configures an MFF-enabled device to discard the IGMP Query messages from users when both MFF and IGMP snooping are enabled in a VLAN.

The undo mac-forced-forwarding igmp-query discard command disables an MFF-enabled device from discarding the IGMP Query messages from users when both MFF and IGMP snooping are enabled in a VLAN.

By default, an MFF-enabled device does not discard the IGMP Query messages from users when both MFF and IGMP snooping are enabled in a VLAN.

Format

mac-forced-forwarding igmp-query discard

undo mac-forced-forwarding igmp-query discard

Parameters

None.

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

After MFF and IGMP snooping are enabled in a VLAN, the IGMP Query messages are broadcast in the VLAN. To prevent IGMP Query message broadcasting, use the mac-forced-forwarding igmp-query discard command.

Example

# Configure an MFF-enabled device to discard the IGMP Query messages from users in VLAN10.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding igmp-query discard

mac-forced-forwarding ipv6-isolate

Function

The mac-forced-forwarding ipv6-isolate command configures the user-side inbound interface on a device to discard IPv6 packets.

The undo mac-forced-forwarding ipv6-isolate command disables a device from discarding IPv6 packets from users.

By default, the user-side inbound interface on a device does not discard IPv6 packets from users.

Format

mac-forced-forwarding ipv6-isolate

undo mac-forced-forwarding ipv6-isolate

Parameters

None.

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the mac-forced-forwarding ipv6-isolate command is used, the user-side inbound interface on a device discards the IPv6 packets from users to prevent IPv6 packets from being broadcast on the VLAN. If the device does not discard IPv6 packets, users can learn the MAC addresses of each other, which makes MFF user isolation function invalid.

Prerequisites

The MFF function has been enabled in the system view and the VLAN view.

The VLAN contains at least one network-side interface.

Example

# Configure the user-side inbound interface on a device to discard IPv6 packets from users.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding ipv6-isolate

mac-forced-forwarding network-port

Function

The mac-forced-forwarding network-port command configures an interface as a network interface.

The undo mac-forced-forwarding network-port command restores the interface to be a user interface.

By default, an interface is a user interface.

Format

mac-forced-forwarding network-port

undo mac-forced-forwarding network-port

Parameters

None

Views

Ethernet interface view, 40GE interface view, 100GE interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To make MFF in a VLAN effective, ensure that at least one network interface belongs to the VLAN. Therefore, configure network interfaces for MFF.

The interface that is connected to the gateway and other network devices is configured as a network interface.

Precautions

MFF has been enabled in the system view using the mac-forced-forwarding enable command. Regardless of whether MFF is enabled in the VLAN that an interface belongs to, the interface can be configured as a network interface.

Multiple interfaces can be configured as network interfaces.

Example

# Configure GE1/0/1 as a network interface.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-forced-forwarding network-port
Info: This operation may take a few seconds. Please wait for a moment.....

mac-forced-forwarding network-port-arp-trigger

Function

The mac-forced-forwarding network-port-arp-trigger command enables the network interface on an EAN to delete an MFF entry when the network port receives an ARP packet.

The undo mac-forced-forwarding network-port-arp-trigger command disables the network interface on an EAN from deleting an MFF entry when the network port receives an ARP packet.

By default, the network interface on an EAN does not delete the MFF entry when receiving an ARP packet.

Format

mac-forced-forwarding network-port-arp-trigger

undo mac-forced-forwarding network-port-arp-trigger

Parameters

N/A

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a data center, users and VM servers are isolated at Layer 2 on EAN devices using MFF. If a VM connects to another EAN after migrating between servers, and the binding table on the original EAN is not aged out, the original EAN considers the VM an MFF host. If an attacker accesses users or sends ARP request packets using the IP address and MAC address of the VM, the original EAN allows the request. Attacks are not defended. After you run the mac-forced-forwarding network-port-arp-trigger command on the original EAN, the original EAN determines that the VM has migrated to another EAN and deletes the MFF entry mapping the VM when receiving ARP packets from this VM.

Prerequisites

MFF has been enabled in the system view and VLAN view using the mac-forced-forwarding enable command.

Example

# Enable the network interface on an EAN to delete an MFF entry when receiving an ARP packet.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding network-port-arp-trigger

mac-forced-forwarding server

Function

The mac-forced-forwarding server command configures the IP address for a server on the MFF network.

The undo mac-forced-forwarding server command deletes the configured IP address of a server.

By default, no IP address is configured for servers.

Format

mac-forced-forwarding server server-ip &<1–10>

undo mac-forced-forwarding server { server-ip | all }

Parameters

Parameter Description Value
server-ip Specifies the IP address for a server. The value is in dotted decimal notation.
NOTE:

This IP address must be a class A, B, or C address. If the IP address is a class A address, it cannot be in the format 0.x.x.x.

all Specifies IP addresses for all servers. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In addition to the gateway, application servers such as the DHCP, multicast, or another server may be deployed on a network. You can configure IP addresses for application servers and set a list of accessible application servers on the MFF-enabled device.

  • When a network interface on the MFF-enabled device receives an ARP request from a specified application server, the MFF-enabled device responds with the user MAC address by default. The packets sent from the server to the user are directly forwarded without passing through the gateway.
  • If the MFF-enabled device is configured to transparently transmit ARP request packets, the device responds with the gateway MAC address. The packets sent from the server to the user are forwarded through the gateway.

Prerequisites

MFF has been enabled in a VLAN using the mac-forced-forwarding enable command.

Precautions

When the number of configured servers reaches the upper limit 10, run the undo mac-forced-forwarding server { server-ip | all } command to delete unneeded servers before you configure new servers.

NOTE:

This command is required only when the application servers and clients are in the same VLAN.

Example

# Configure IP address 192.168.1.2 for a server in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding server 192.168.1.2

mac-forced-forwarding static-gateway

Function

The mac-forced-forwarding static-gateway command configures a static gateway IP address in a VLAN.

The undo mac-forced-forwarding static-gateway command cancels the configuration.

By default, no static gateway IP address is configured in a VLAN.

Format

mac-forced-forwarding static-gateway ip-address &<1-16>

undo mac-forced-forwarding static-gateway { ip-address | all }

Parameters

Parameter Description Value
ip-address Specifies the static gateway IP address in a VLAN. A maximum of 16 static gateway IP addresses in a VLAN can be specified in this command. The value is in dotted decimal notation.
NOTE:

This IP address must be a class A, B, or C address. If the IP address is a class A address, it cannot be in the format 0.x.x.x.

all Deletes all static gateway IP addresses in the VLAN. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The static gateway is applicable when users are configured with static IP addresses. These users cannot dynamically obtain gateway information through DHCP packets. In this case, configure a static gateway address for each VLAN. After you run the mac-forced-forwarding static-gateway command, the users that are not authorized by the DHCP server can use the static gateway address to access the network. The users that are authorized by the DHCP server can still access the original gateway.

Prerequisites

Global MFF has been enabled using the mac-forced-forwarding enable command.

Precautions

If a static gateway IP address is changed, users will fail to access the network. The MAC address in the ARP table on the client belongs to the old gateway. After a new gateway is configured, the ARP entry on client is not updated immediately (that is, the MAC address in ARP table is not updated to the new gateway's MAC address). Therefore, the user cannot access the network.

Example

# Configure static gateway IP address 10.1.1.10 in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding static-gateway 10.1.1.10

mac-forced-forwarding user-detect transparent

Function

The mac-forced-forwarding user-detect transparent command enables transparent transmission of ARP request packets.

The undo mac-forced-forwarding user-detect transparent command disables transparent transmission of ARP request packets.

By default, transparent transmission of ARP request packets is disabled.

Format

mac-forced-forwarding user-detect transparent

undo mac-forced-forwarding user-detect transparent

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In MFF networking, if the gateway performs accounting for users based on the online duration, the gateway must know whether a user is online at a specified moment. By default, the MFF-enabled device sends ARP reply packets in response to ARP request packets sent from the gateway. The MFF-enabled device can always send ARP reply packets as long as the MFF entry is not aged out. As a result, the gateway always considers users online even if they have gone offline.

To solve this problem, configure the MFF-enabled device to transparently transmit ARP request packets sent from the gateway to the user. Then the MFF-enabled device does not respond to the ARP packets. If the gateway does not receive the ARP reply packet from a user, the gateway considers that the user has gone offline. The gateway can monitor the user status in a timely manner and correctly perform accounting.

Prerequisites

Global MFF has been enabled using the mac-forced-forwarding enable command.

Precautions

In other scenarios, use the default configuration.

Example

# Enable transparent transmission of ARP request packets in VLAN 10.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] mac-forced-forwarding enable
[HUAWEI-vlan10] mac-forced-forwarding user-detect transparent
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 26712

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next