mac-forced-forwarding network-port-arp-trigger

Function

The mac-forced-forwarding network-port-arp-trigger command enables the network interface on an EAN to delete an MFF entry when the network port receives an ARP packet.

The undo mac-forced-forwarding network-port-arp-trigger command disables the network interface on an EAN from deleting an MFF entry when the network port receives an ARP packet.

By default, the network interface on an EAN does not delete the MFF entry when receiving an ARP packet.

Format

mac-forced-forwarding network-port-arp-trigger

undo mac-forced-forwarding network-port-arp-trigger

Parameters

N/A

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a data center, users and VM servers are isolated at Layer 2 on EAN devices using MFF. If a VM connects to another EAN after migrating between servers, and the binding table on the original EAN is not aged out, the original EAN considers the VM an MFF host. If an attacker accesses users or sends ARP request packets using the IP address and MAC address of the VM, the original EAN allows the request. Attacks are not defended. After you run the mac-forced-forwarding network-port-arp-trigger command on the original EAN, the original EAN determines that the VM has migrated to another EAN and deletes the MFF entry mapping the VM when receiving ARP packets from this VM.

Prerequisites

MFF has been enabled in the system view and VLAN view using the mac-forced-forwarding enable command.

Example

# Enable the network interface on an EAN to delete an MFF entry when receiving an ARP packet.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-forced-forwarding enable
[HUAWEI-vlan100] mac-forced-forwarding network-port-arp-trigger