Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2336
Views
0
Helpful
0
Comments

Packet loss occurs when the block unicast feature is enabled in Catalyst 6500 series switches that run Cisco IOS

TCC_2
Level 10
Level 10

‎06-22-2009 04:40 PM - edited ‎03-01-2019 04:00 PM

Core issue

Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. This condition is especially undesirable for a private VLAN isolated port.

By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a switch port, there can be security issues. In order to prevent forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.

Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN. You can prevent this behavior if you use the Unknown Unicast Flood Blocking (UUFB) feature. It blocks unknown unicast traffic flooding and only permits egress traffic with MAC addresses that are known to exit on the port. This feature is supported on all ports that are configured with theswitchport block unicast command, which includes private VLAN (PVLAN) ports.

This issue is due to Catalyst 6k platform architecture. In order to prevent the flooding of this Layer-3 traffic routed across different DFCs, due to distributed forwarding architecture, we have the concept of the Routed MAC. When a new MAC is learned at the ingress linecard/DFC, and it is routed (Layer-3) and sent out from another linecard, the egress linecard learns about this MAC address through an internal mechanism. On the ingress linecard the MAC is classified as Primary entry, while on the egress linecard the address is classified as Routed MAC (RM).

The RM MAC are aged out every 300 seconds, irrespectiveless if traffic is forwarded or not for that MAC, thus it creates unicast flooding. Unknown unicast traffic is blocked out of every block unicast port.

Resolution

Since this is an expected behaviour, either of these workaround can be performed:

  • Use static MAC entries in order to avoid aging out. 


  • Use Layer-3 physical interfaces in order to avoid use of RM.       

Refer to Cisco bug ID CSCef72013 for more information.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents