Configuring Unknown Unicast and Multicast Flood Control


This chapter describes how to configure the unknown unicast flood blocking (UUFB), unknown multicast flood blocking (UMFB), and unknown unicast flood rate-limiting (UUFRL) features in Cisco IOS Release 12.2SX.

Understanding Unknown Traffic Flood Control

Configuring UUFB or UMFB

Configuring UUFRL


Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL:

http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html



Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum


Understanding Unknown Traffic Flood Control

By default, unknown unicast and multicast traffic is flooded to all Layer 2 ports in a VLAN. You can use the UUFB, UMFB, and UUFRL features to prevent or limit this traffic.

The UUFB and UMFB features block unknown unicast and multicast traffic flooding at a specific port, only permitting egress traffic with MAC addresses that are known to exist on the port. The UUFB and UMFB features are supported on all ports that are configured with the switchport command, including private VLAN (PVLAN) ports.

The UUFRL feature applies a rate limit globally to unknown unicast traffic on all VLANs.


Note Enter the switchport block multicast command only on ports where all unknown multicast flooded traffic needs to be completely blocked. UMFB disrupts protocols that make use of local subnetwork multicast control groups in the 224.0.0.0/24 range, for example:

ARP

IPv6 neighbor discovery (IPv6 ND)

Network Time Protocol (NTP)

Do not enter this command on nonreceiver (router) ports or host ports that rely on dynamic ARP. Use IGMP snooping or other rate-limiting options to restrict, rather than completely block, unknown multicast flooded traffic.


Configuring UUFB or UMFB

To configure UUFB or UFMB, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# interface {{type1  slot/port} | {port-channel number}}

Selects the interface to configure.

Step 3 

Router(config-if)# switchport

Configures the port for Layer 2 switching.

Step 4 

Router(config-if)# switchport block {unicast | multicast}

Enables unknown unicast or multicast flood blocking on the port.

Step 5 

Router(config-if)# do show interfaces [type1 slot/port] switchport | include Unknown

Verifies the configuration.

1 type = fastethernet, gigabitethernet, or tengigabitethernet

This example shows how to configure UUFB on Fast Ethernet port 5/12 and how to verify the configuration:

Router# configure terminal 
Router(config)# interface fastethernet 5/12 
Router(config-if)# switchport 
Router(config-if)# switchport block unicast 
Router(config-if)# do show interface fastethernet 5/12 switchport | include Unknown 
Unknown unicast blocked: enabled

Configuring UUFRL


Note The UUFRL feature is available only with the Supervisor Engine 720-10GE.


To configure UUFRL, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# mls rate-limit layer2 unknown rate-in-pps [burst-size]

Enables UUFRL and sets the maximum packet rate.

(Optional) Specify a burst size limit.

Step 3 

Router(config)# exit

Exits configuration mode.

When you configure UUFRL, note the following information:

When unknown unicast flood rate-limiting (UUFRL) is enabled, per-VLAN learning must be enabled on all the Layer 3 routed ports, otherwise, any unicast flooded packet coming into a routed port will also be rate-limited by UUFRL.

For the rate-in-pps value:

The range is 10 through 1,000,000 (entered as 1000000).

There is no default value.

Values lower than 1,000 (entered as 1000) should offer sufficient protection.

For the burst-size value:

The range is 1 through 255.

The default is 10.

The default value should provide sufficient protection.

This example shows how to configure UUFRL with a rate limit of 1000 pps with a burst of 20 packets:

Router# configure terminal 
Router(config)# mls rate-limit layer2 unknown 1000 20 
Router(config)# exit 

Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:

http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Participate in the Technical Documentation Ideas forum