Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch. This condition is especially undesirable for a private VLAN isolated port.
By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a switch port, there can be security issues. In order to prevent forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.
Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN. You can prevent this behavior if you use the Unknown Unicast Flood Blocking (UUFB) feature. It blocks unknown unicast traffic flooding and only permits egress traffic with MAC addresses that are known to exit on the port. This feature is supported on all ports that are configured with theswitchport block unicast command, which includes private VLAN (PVLAN) ports.
This issue is due to Catalyst 6k platform architecture. In order to prevent the flooding of this Layer-3 traffic routed across different DFCs, due to distributed forwarding architecture, we have the concept of the Routed MAC. When a new MAC is learned at the ingress linecard/DFC, and it is routed (Layer-3) and sent out from another linecard, the egress linecard learns about this MAC address through an internal mechanism. On the ingress linecard the MAC is classified as Primary entry, while on the egress linecard the address is classified as Routed MAC (RM).
The RM MAC are aged out every 300 seconds, irrespectiveless if traffic is forwarded or not for that MAC, thus it creates unicast flooding. Unknown unicast traffic is blocked out of every block unicast port.
Since this is an expected behaviour, either of these workaround can be performed:
Use static MAC entries in order to avoid aging out.
Use Layer-3 physical interfaces in order to avoid use of RM.
Refer to Cisco bug ID CSCef72013 for more information.
When performing command [show redundancy] in ASR9K 6.2.3, i found something different with asr9k 5.3.3.
Please have a look at below output.
RP/0/RSP1/CPU0:PE1#sh redundancyWed Aug 21 05:50:36.659 UTCRedundancy in...
hi all, we are in the the designing phase before we deploy viptela. we have around 2 dc and 10 branches. each branch have 1 internet and 2 mpls links. sip service from service provider is provided via mpls (ie service provider sip network resid...
Hi All,Let me know what is the recursive routing. What is the purpose for recursive routing. Let me know what is pros and cons ?I am reading below links but i still confuse ?Please explain .https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/conf...
Comunidade, saudações! Para a comunicação entre todos os hosts em uma mesma rede, utilizamos endereço Broadcast da rede. Mas referente ao endereço Multicast 126.96.36.199, ele serviria para a mesma finalidade? Alguém poderia explicar quando u...
I have two cisco swiches and connected with one cable, i.e. G7/13 on SwitchA is connected to G1/47 on SwitchB. Today, I found if I execute "show mac address-table int g7/13" on SwitchA, I couldn't find the mac address which is connected from the SwitchB. ...