< Home

Users Fail to Access the Internet After MFF Is Configured

Fault Description

After MFF is configured, users cannot access the Internet.

Procedure

  1. Run the display mac-forced-forwarding vlan vlan-id command to check MFF information.

    • If the User IP and User MAC fields are empty, no user information is generated. Go to step 2.
    • If the Gateway MAC field is empty, no gateway MAC address is learned. Go to step 3.

  2. Check configurations to verify that MFF user information is generated.
    1. Check that user binding entries are generated.

      User Type Command Solution
      Dynamic user display dhcp snooping user-bind vlan vlan-id
      • If the user IP address does not match any of the binding entries, go to step b.
      • If the user IP address matches a binding entry, the user has gone online successfully. Go to step c.
      Static user display dhcp static user-bind vlan vlan-id
      • If the user IP address does not match any of the binding entries, go to step b.
      • If the user IP address matches a binding entry, the user has gone online successfully. Go to step c.

    2. Check that user configurations are correct.

      User Type Item Method Solution
      Dynamic user DHCP snooping is enabled on the user interface. Run the display this command in the user interface view to check whether the dhcp snooping enable command is configured. If not, run this command. You can also run the dhcp snooping enable command in the VLAN view if the user interface has been added to the VLAN.
      Check that the network interface is configured as the trusted interface. Run the display this command in the network interface view to check whether the dhcp snooping trusted command is configured. If not, run this command. You can also run the dhcp snooping trusted command in the VLAN view if the network interface has been added to the VLAN.
      Check that users can go online. Run the display dhcp snooping user-bind vlan vlan-id command to check whether DHCP snooping entries exist. If the user IP address does not match any of the DHCP snooping entries, the user cannot get online. Rectify the fault according to Some Users Cannot Obtain IP Addresses after DHCP Snooping Is Enabled or All Users Cannot Obtain IP Address after DHCP Snooping Is Enabled.
      Static user Check that a correct static gateway address is configured. Run the display this command in the MFF-enabled VLAN view to check whether the mac-forced-forwarding static-gateway ip-address &<1-16> command is configured and whether the static user address is on the same network segment as the static gateway address. If the mac-forced-forwarding static-gateway ip-address command is not configured or the static gateway address is on a different network segment than the static user address, run the mac-forced-forwarding static-gateway ip-address &<1-16> command to configure a static gateway that resides on the same network segment as the static user.
      Check whether the static user is correctly configured. Run the display dhcp static user-bind vlan vlan-id command in the system view to check whether a binding entry maps the specified static user. If no such binding entry exists, run the user-bind static command to configure a binding entry mapping the static user.

      If the fault persists, go to step c.

    3. Check that MFF configurations are correct.

      • Run the display this command in the user interface view to check whether the interface is added to the MFF-enabled VLAN. If not, add it to the MFF-enabled VLAN.
      • Run the display this command in the network interface view to check whether the mac-forced-forwarding network-port command is configured. If not, run this command.

  3. Verify that the device can learn the gateway address.
    1. Check whether the device receives an ARP reply packet from the gateway.

      Run the debugging ethernet packet arp interface interface-type interface-number command in the user view to check whether the device receives the ARP reply packet from the gateway.

      • If the device does not receive the ARP reply packet from the gateway, go to step b if users are assigned static IP addresses, or go to step c if users dynamically obtain IP addresses.

    2. Check that the link between the device and the gateway works properly.

      Ping the gateway from the device to check whether the route between them is reachable.
      • If the ping operation fails, rectify the route fault.
      • If the ping succeeds, go to step c.

    3. Check whether ARP reply packets are discarded.

      • Run the display this command in the interface view, VLAN view, and system view to check whether a rate limit is set for ARP packets.

        If the display this command output contains "arp anti-attack rate-limit", the rate limit is too small, which means ARP reply packets may be discarded. Run the arp anti-attack rate-limit command to increase the rate limit.

      • Run the mac-forced-forwarding gateway-detect [ interval interval-time ] command in the MFF-enabled VLAN view to enable timed gateway address detection, so that the gateway MAC address is obtained by retransmitting an ARP request packet.

Parent Topic: Troubleshooting MFF
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.