- Index
- Preface
- Product Overview
- Command-Line Interfaces
- Smart Port Macros
- Virtual Switching Systems (VSS)
- Enhanced Fast Software Ugrade (eFSU)
- NSF with SSO Supervisor Engine Redundancy
- RPR Supervisor Engine Redundancy
- Interface Configuration
- UniDirectional Link Detection (UDLD)
- Power Management and Environmental Monitoring
- EnergyWise
- Online Diagnostics
- Onboard Failure Logging
- Switch Fabric Functionality
- Cisco IP Phone Support
- Power over Ethernet
- Layer 2 LAN Ports
- Flex Links
- EtherChannels
- mLACP for Server Access
- IEEE 802.1ak MVRP and MRP
- VLAN Trunking Protocol (VTP)
- VLANs
- Private VLANs (PVLANs)
- Private Hosts
- IEEE 802.1Q Tunneling
- Layer 2 Protocol Tunneling
- STP and MST
- Optional STP Features
- Layer 3 Interface Configuration
- Unidirectional Ethernet (UDE) and unidirectional link routing (UDLR)
- Multiprotocol Label Switching (MPLS)
- L2VPN Advanced VPLS (A-VPLS)
- IP Unicast Layer 3 Switching
- IPv6 Multicast Layer 3 Switching
- MLD Snooping for IPv6 Multicast Traffic
- IPv4 Multicast Layer 3 Switching
- IGMP Snooping and MVR for IPv4 Multicast Traffic
- Configuring MVR for IPv4 Multicast Traffic
- IPv4 IGMP Filtering and Router Guard
- PIM Snooping
- IPv4 Multicast VPN Support
- PFC QoS
- AutoQoS
- MPLS QoS
- PFC QoS Statistics Data Export
- Network Security
- AutoSecure
- Cisco IOS ACL Support
- Cisco TrustSec (CTS)
- Port ACLs (PACLs) and VLAN ACLs (VACLs)
- Denial of Service Protection
- Control Plane Policing (CoPP)
- DHCP Snooping
- IP Source Guard
- Dynamic ARP Inspection
- Traffic Storm Control
- Unknown Unicast and Multicast Flood Control
- Network Admission Control (NAC)
- IEEE 802.1X Port-Based Authentication
- Web-Based Authentication
- Port Security
- NetFlow
- NetFlow Data Export (NDE)
- Call Home
- System Event Archive (SEA)
- Backplane Platform Monitoring
- SPAN, RSPAN, and ERSPAN
- SNMP IfIndex Persistence
- Top-N Reports
- Layer 2 Traceroute Utility
- Mini Protocol Analyzer
- Ethernet Services Line Cards
- Online Diagnostic Tests
- Acronyms
Configuring Unknown Unicast and Multicast Flood Control
This chapter describes how to configure the unknown unicast flood blocking (UUFB), unknown multicast flood blocking (UMFB), and unknown unicast flood rate-limiting (UUFRL) features in Cisco IOS Release 12.2SX.
•Understanding Unknown Traffic Flood Control
Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Master Command List, at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum
Understanding Unknown Traffic Flood Control
By default, unknown unicast and multicast traffic is flooded to all Layer 2 ports in a VLAN. You can use the UUFB, UMFB, and UUFRL features to prevent or limit this traffic.
The UUFB and UMFB features block unknown unicast and multicast traffic flooding at a specific port, only permitting egress traffic with MAC addresses that are known to exist on the port. The UUFB and UMFB features are supported on all ports that are configured with the switchport command, including private VLAN (PVLAN) ports.
The UUFRL feature applies a rate limit globally to unknown unicast traffic on all VLANs.
Note Enter the switchport block multicast command only on ports where all unknown multicast flooded traffic needs to be completely blocked. UMFB disrupts protocols that make use of local subnetwork multicast control groups in the 224.0.0.0/24 range, for example:
•ARP
•IPv6 neighbor discovery (IPv6 ND)
•Network Time Protocol (NTP)
Do not enter this command on nonreceiver (router) ports or host ports that rely on dynamic ARP. Use IGMP snooping or other rate-limiting options to restrict, rather than completely block, unknown multicast flooded traffic.
Configuring UUFB or UMFB
To configure UUFB or UFMB, perform this task:
|
|
|
---|---|---|
Step 1 |
Router# configure terminal |
Enters global configuration mode. |
Step 2 |
Router(config)# interface {{type1 slot/port} | {port-channel number}} |
Selects the interface to configure. |
Step 3 |
Router(config-if)# switchport |
Configures the port for Layer 2 switching. |
Step 4 |
Router(config-if)# switchport block {unicast | multicast} |
Enables unknown unicast or multicast flood blocking on the port. |
Step 5 |
Router(config-if)# do show interfaces [type1 slot/port] switchport | include Unknown |
Verifies the configuration. |
1 type = fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to configure UUFB on Fast Ethernet port 5/12 and how to verify the configuration:
Router# configure terminal
Router(config)# interface fastethernet 5/12
Router(config-if)# switchport
Router(config-if)# switchport block unicast
Router(config-if)# do show interface fastethernet 5/12 switchport | include Unknown
Unknown unicast blocked: enabled
Configuring UUFRL
Note The UUFRL feature is available only with the Supervisor Engine 720-10GE.
To configure UUFRL, perform this task:
When you configure UUFRL, note the following information:
•When unknown unicast flood rate-limiting (UUFRL) is enabled, per-VLAN learning must be enabled on all the Layer 3 routed ports, otherwise, any unicast flooded packet coming into a routed port will also be rate-limited by UUFRL.
•For the rate-in-pps value:
–The range is 10 through 1,000,000 (entered as 1000000).
–There is no default value.
–Values lower than 1,000 (entered as 1000) should offer sufficient protection.
•For the burst-size value:
–The range is 1 through 255.
–The default is 10.
–The default value should provide sufficient protection.
This example shows how to configure UUFRL with a rate limit of 1000 pps with a burst of 20 packets:
Router# configure terminal
Router(config)# mls rate-limit layer2 unknown 1000 20
Router(config)# exit
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum