Overview of MFF

Definition

MAC-Forced Forwarding (MFF) isolates user devices in a broadcast domain at Layer 2 and allows the user devices to communicate with each other at Layer 3.

MFF uses proxy Address Resolution Protocol (ARP) to capture ARP request packets from user devices and to send ARP reply packets with a gateway MAC address back to the user devices. All traffic is sent to the gateway to implement Layer 2 isolation and Layer 3 communication.

Purpose

On the Ethernet, users need to be isolated at Layer 2 because they use different services; however, they need to communicate with each other through Layer 3 sometimes. Traditionally, VLANs are configured to implement Layer 2 isolation and Layer 3 communication, but this method has the following disadvantages:

• Numerous VLANs must be assigned when a large number of users need to be isolated at Layer 2.
• IP addresses are wasted because Layer 3 communication requires each VLAN to have an IP network segment and each VLANIF interface to have an IP address.

Because MFF implements Layer 2 isolation and Layer 3 communication among users, it takes advantage of Ethernet broadcast domains and conserves IP addresses and VLANs. MFF ensures that all traffic, including traffic in the same subnet, is sent to the gateway, so that the gateway can monitor data traffic and prevent malicious attacks between users.

CPU resources become burdened if the MFF module on an MFF-enabled device processes many ARP packets destined for other devices. To solve the problem, configure ARP packet rate limiting globally, in a VLAN, or on an interface. For details, see Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an Interface.

Benefits