No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of MFF

Overview of MFF


MAC-Forced Forwarding (MFF) isolates user devices in a broadcast domain at Layer 2 and allows the user devices to communicate with each other at Layer 3.

MFF uses proxy Address Resolution Protocol (ARP) to capture ARP request packets from user devices and to send ARP reply packets with a gateway MAC address back to the user devices. All traffic is sent to the gateway to implement Layer 2 isolation and Layer 3 communication.


On the Ethernet, users need to be isolated at Layer 2 because they use different services; however, they need to communicate with each other through Layer 3 sometimes. Traditionally, VLANs are configured to implement Layer 2 isolation and Layer 3 communication, but this method has the following disadvantages:

  • Numerous VLANs must be assigned when a large number of users need to be isolated at Layer 2.
  • IP addresses are wasted because Layer 3 communication requires each VLAN to have an IP network segment and each VLANIF interface to have an IP address.

Because MFF implements Layer 2 isolation and Layer 3 communication among users, it takes advantage of Ethernet broadcast domains and conserves IP addresses and VLANs. MFF ensures that all traffic, including traffic in the same subnet, is sent to the gateway, so that the gateway can monitor data traffic and prevent malicious attacks between users.


CPU resources become burdened if the MFF module on an MFF-enabled device processes many ARP packets destined for other devices. To solve the problem, configure ARP packet rate limiting globally, in a VLAN, or on an interface. For details, see Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface.


  • Implements Layer 2 isolation and prevents malicious attacks.
  • Implements Layer 3 communication and enables the gateway to perform accounting.
  • Improves service quality and network security.
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23937

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next