Allied Telesis MAC Forced Forwarding (MACFF) Explained for Layer 3 Switches

Protecting the user

#Create a classifier to match all traffic in VLANs 101-104 create class=10 ipsa=192.168.0.0/16 ipda=192.168.0.0/16

#Create a classifier to match voice traffic

create class=100 ipsa=192.168.1.0/24 ipda=192.168.1.0/24

#Create a classifier to match management traffic

#The management PC is 192.168.4.250

create class=401 ipsa=192.168.4.0/24 ipda=192.168.4.250/32 create class=402 ipsa=192.168.4.250/32 ipda=192.168.4.0/24

#Create a filter to drop traffic within and between VLANs 101-104 add switch hwfilter classifier=10 action=discard

#Create filters to allow the exceptions (voice and management) add switch hwfilter classifier=100 action=nodrop

add switch hwfilter classifier=401 action=nodrop add switch hwfilter classifier=402 action=nodrop

MAC-Forced Forwarding (MACFF)

MAC-forced forwarding works in conjunction with DHCP snooping to give you full control over IP flows in a layer 2 network.

Like local proxy ARP, MACFF replies to a client’s ARP request with the MAC address of an access router, instead of the real MAC address of the IP requested.

With MACFF, the edge switch generates the ARP reply. The edge switch works out which MAC address to reply with from information provided by DHCP snooping. DHCP snooping keeps a record of the client’s IP, MAC and port assignment. It also records the router information that the client has been given by DHCP. DHCP snooping passes this

information to MACFF, so that MACFF knows which router’s MAC address to provide when it sees an ARP from that client.

For more information about how MACFF works, see How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs. This How To Note is available from www.alliedtelesis.com/resources/literature/howto.aspx.