Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. This condition is especially undesirable for a private VLAN isolated port.
By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a switch port, there can be security issues. In order to prevent forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.
Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN. You can prevent this behavior if you use the Unknown Unicast Flood Blocking (UUFB) feature. It blocks unknown unicast traffic flooding and only permits egress traffic with MAC addresses that are known to exit on the port. This feature is supported on all ports that are configured with theswitchport block unicast command, which includes private VLAN (PVLAN) ports.
This issue is due to Catalyst 6k platform architecture. In order to prevent the flooding of this Layer-3 traffic routed across different DFCs, due to distributed forwarding architecture, we have the concept of the Routed MAC. When a new MAC is learned at the ingress linecard/DFC, and it is routed (Layer-3) and sent out from another linecard, the egress linecard learns about this MAC address through an internal mechanism. On the ingress linecard the MAC is classified as Primary entry, while on the egress linecard the address is classified as Routed MAC (RM).
The RM MAC are aged out every 300 seconds, irrespectiveless if traffic is forwarded or not for that MAC, thus it creates unicast flooding. Unknown unicast traffic is blocked out of every block unicast port.
Since this is an expected behaviour, either of these workaround can be performed:
Use static MAC entries in order to avoid aging out.
Use Layer-3 physical interfaces in order to avoid use of RM.
Refer to Cisco bug ID CSCef72013 for more information.
Dear All, We're implementing DMVPN with Dual Hub and approaching Dual Cloud for bank network with hundreds of branches , please advice on the best practice to implement DMVPN with Dual Hub Dual/Single Cloud with higher redundancy and failov...
Helloactually i have a problem with GLC-T on my Nexus and Catalyst switcheshere is my scenario:my n2k-2348-upq connect to my servers via GLC-T with cat6 copper cable, once i put the port in admin shutdown state, the server port did not disconnect and stil...
My favorite Linux distribution is Fedora so I wanted to use my Fedora 33 to run some version of Packet Tracer, wich was at the end a total disappointment. As far as I know it doesn't run on earlier versions of Fedora either, wich is a fairly impossible si...
Our company has two geographical separated sites, with the following BGP network infrastructure:1. siteA has two BGP routers(RouterA1-primary, RouterA2-secondary), siteB has also two BGP routers (RouterB1-primary, RouterB2-secondary).2. siteA has been run...
Hi,I'm having trouble setting up my network. I can't get the 2 points to communicate. Could anyone help?I have a point-to-point link with the other office, the machines communicate internally, and can reach the internal ASA vlan, but from ther...