Install guide
2 Software Reference
Introduction
This chapter describes MAC-Forced Forwarding, how it is implemented, and
how to configure it on the switch.
MAC-Forced Forwarding is a method for subscriber separation on a network.
It is appropriate for IPv4 Ethernet based networks, where a layer 2 bridged
segment separates downstream clients from their upstream IPv4 gateways,
known as Access Routers (ARs).
MAC-Forced Forwarding directs all traffic from a client to a specific AR. This
stops the clients from having direct access to one another through the bridged
segment, despite being within the same subnet.
MAC-Forced Forwarding provides the following benefits to your network:
■ The ability to monitor, filter, and police any traffic between separate clients
within the same subnet. This allows you to account for all traffic to and
from a client.
■ Efficient use of limited resources. MAC-Forced Forwarding allows IPv4
addresses to be efficiently assigned by DHCP, and uses less bandwidth and
configuration than other Ethernet solutions such as PPPoE.
■ Greater security within the subnet. As malicious clients cannot discover
the MAC addresses of their neighbouring clients, they cannot launch
Ethernet level attacks on these clients.
The switch’s implementation of MAC-Forced Forwarding is compatible with
RFC 4562 MAC-Forced Forwarding: A Method for Subscriber Separation on an
Ethernet Access Network.
Overview of MAC-Forced Forwarding
MAC-Forced Forwarding is suitable for Ethernet networks where a layer 2
bridging device, known as an Ethernet Access Node (EAN), connects ARs to
their clients. The protocol is implemented on the EANs in a network. Figure 1
on page 3 shows an example network with EANs.
How it works MAC-Forced Forwarding uses a feature of proxy Address Resolution Protocol
(ARP) to stop MAC address resolution between clients. Without MAC-Forced
Forwarding, the EANs in a network forward valid ARP messages to the
requested destination. With MAC-Forced Forwarding, EANs intercept all ARP
messages from clients and send proxy ARP replies on behalf of the client’s AR.
This stops the clients from learning the MAC addresses of any other devices,
and directs all traffic from the client directly to the AR.
An exception to this rule occurs when the network has an Application Server
(AS), and the client sends an ARP request for the AS. In these cases the EAN
sends a proxy ARP reply back on behalf of the AS rather than the AR.