No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding MFF

Understanding MFF

Implementation

Figure 4-1 demonstrates MFF implementation on an Ethernet network where the gateway performs unified network management and accounting. MFF is enabled on the Ethernet Access Node (EAN) so that user traffic passes through the gateway before being forwarded to other users at Layer 3. MFF isolates users at Layer 2 and helps enable traffic monitoring and accounting capabilities.

MFF uses the proxy ARP mechanism to reduce the number of broadcast packets between the network and users, thereby enabling isolation at Layer 2 while ensuring users are still able to communicate at Layer 3. The Proxy ARP mechanism will be described in this chapter.

Figure 4-1  MFF application scenario

Interface Roles

Two types of interfaces are available on an MFF-enabled device: user interfaces and network interfaces.

A user interface connects to user terminals and processes different packets as follows:

  • Discards IGMP Query messages and permits other IGMP protocol packets and DHCP packets to pass through.
  • Sends ARP packets to the CPU for processing.
  • Processes the unicast packets of which the destination address is the gateway MAC address as follows:
    • If the gateway MAC address has been learned, forwards these unicast packets and discards other packets.
    • If the gateway MAC address has not been learned, discards all packets.
  • Rejects multicast and broadcast data packets.

A network interface connects to such network devices as access switches, aggregation switches, or gateway and processes different packets as follows:

  • Permits multicast and DHCP packets to pass through.
  • Sends ARP packets to the CPU for processing.

MFF Functions

MFF provides the following functions: obtainment of gateway and user information, proxy ARP mechanism, gateway detection, and User online status detection.

  • Obtainment of gateway and user information

    Users can be allocated static IP addresses or dynamically obtain IP addresses using DHCP. Accordingly, a MFF-enabled device can obtain a manually configured gateway IP address or dynamically obtain a gateway IP address using the DHCP snooping function.

    • Manually configured gateway IP address

      If IP addresses are manually assigned, the MFF-enabled device cannot obtain the gateway IP address through DHCP packets; therefore, the gateway IP address needs to be manually configured on the MFF-enabled device. After an IP address is configured for a static gateway, the MFF-enabled device captures the ARP request packets at the user side to trigger or update the MFF entries carrying user information. If the MFF-enabled device receives an ARP request packet without learning the gateway MAC address, the MFF-enabled device does not forward this ARP request packet. Instead, the MFF-enabled device sends an ARP request packet with the user's IP and MAC addresses as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.

    • Gateway IP address dynamically obtained with the DHCP snooping function

      If the IP addresses are dynamically allocated through DHCP, the MFF-enabled device obtains the user's IP and MAC addresses from the DHCP snooping table and parses the option 121 or option 3 field in the DHCP ACK packets sent by the network interface to obtain the gateway IP address. The MFF-enabled device then sends an ARP request packet with the user's IP and MAC addresses as source information to the gateway, and learns the gateway MAC address from the ARP reply packet returned by the gateway.

      If a host is authorized to access multiple gateways, the MFF-enabled device uses the MAC address of the first gateway to respond to an ARP request whose destination address is a non-gateway address received from the host. After receiving an ARP request whose destination address is a gateway address, the MFF-enabled device responds with the MAC address of the gateway.

  • Proxy ARP

    The MFF-enabled device captures the ARP request packets from users, and sends an ARP reply packet with the gateway MAC address as the source MAC address. This process ensures that all user devices map the gateway MAC address to the gateway IP address in their ARP tables so that all the packets from the user devices are destined for the gateway. The gateway can monitor traffic and perform accounting, and network security is enhanced.

    When receiving an ARP request packet sent by a gateway to request a user MAC address, the MFF-enabled device responds with the MAC address.

    When a network-side non-gateway device (such as DHCP server and multicast server) requests the ARP packets from user devices, the MFF-enabled device responds with the user MAC addresses by default. The packets sent from the non-gateway device to user devices do not pass the gateway. If the MFF-enabled device is configured to transparently transmit the ARP request packets from the gateway, the MFF-enabled device responds with the gateway MAC address. Then the packets sent from the non-gateway device to user devices are forwarded through the gateway. The function of ARP Request packet transparent transmission will be described in User online status detection.

  • Gateway detection

    To detect gateway MAC address change in time, MFF supports timed gateway address detection. After the detection function is enabled (enabled by default), the MFF-enabled device scans recorded gateway information every 30 seconds. For each gateway recorded, the MFF-enabled device uses information about any user to construct an ARP request packet and sends it to the network interface. The MFF-enabled device then learns the gateway MAC address from the ARP reply packet. If the gateway MAC address has changed, the MFF-enabled device immediately updates the gateway information and broadcasts gratuitous ARP packets to user devices, so that user devices can update the gateway address.

    NOTE:

    If no user exists in a VLAN, the MFF-enabled device does not send any ARP request packet to the gateway until a user goes online.

  • User online status detection

    If the gateway is used to perform accounting according to the length of time users are online, the gateway must be able to accurately record these durations. By default, a MFF-enabled device sends ARP reply packets in response to ARP request packets sent from the gateway. As a result, the gateway considers users online even if they have gone offline. To solve this problem, configure the MFF-enabled device to transparently transmit ARP request packets sent from the gateway to the user. Then, the MFF-enabled device does not respond to the ARP packets. If the gateway does not receive the ARP reply packet from a user, the gateway considers that the user has gone offline.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125505

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next