Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. This condition is especially undesirable for a private VLAN isolated port.
By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a switch port, there can be security issues. In order to prevent forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.
Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN. You can prevent this behavior if you use the Unknown Unicast Flood Blocking (UUFB) feature. It blocks unknown unicast traffic flooding and only permits egress traffic with MAC addresses that are known to exit on the port. This feature is supported on all ports that are configured with theswitchport block unicast command, which includes private VLAN (PVLAN) ports.
This issue is due to Catalyst 6k platform architecture. In order to prevent the flooding of this Layer-3 traffic routed across different DFCs, due to distributed forwarding architecture, we have the concept of the Routed MAC. When a new MAC is learned at the ingress linecard/DFC, and it is routed (Layer-3) and sent out from another linecard, the egress linecard learns about this MAC address through an internal mechanism. On the ingress linecard the MAC is classified as Primary entry, while on the egress linecard the address is classified as Routed MAC (RM).
The RM MAC are aged out every 300 seconds, irrespectiveless if traffic is forwarded or not for that MAC, thus it creates unicast flooding. Unknown unicast traffic is blocked out of every block unicast port.
Since this is an expected behaviour, either of these workaround can be performed:
Use static MAC entries in order to avoid aging out.
Use Layer-3 physical interfaces in order to avoid use of RM.
Refer to Cisco bug ID CSCef72013 for more information.
We have 2*9500-48Y4C in Stackwise Virtual configuration on the FUJI 16.9.4, running well for the last few months. Cisco Support has stated that SVL, even through works on the FUJI 16.9.4 is not supported, thus we need to migrate to at least Gibraltar 16.1...
Hi, I want to create script to just a copy running-config to tftp server. Or anyone knows command to execute the same task without prompting for input.I am running following command on cisco ASA box.#copy running-config tftp:<IP address>/<di...
Hi All, Trying to backup our cisco asas with following event manager script: Event manager applet weeklybackupevent timer watchdog time 604800action 0 cli command "enable"action 1 cli command "copy /noconfirm run disk0://weekly-backup" is t...
Hello, i have 9k switches, and CSSM Satelite for SMART licensing .The switches was successfully registered to CSSM until yesterday. On every device, we had shown : Registration expired : 29.5.2020. 14:59After that time, all devices went to...
After hours of trying to make this switch work, watching cisco videos, reading posts etc, i have come to the conclusion that it is Layer 3 Lite, and incapable of providing inter VLAN communications within the switch. The switch cannot operate on Layer 3 m...