Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2745
Views
0
Helpful
8
Replies

Blocking multicast and unicast flooding on specific ports on Cisco 6509

Go to solution
bhushit17
Level 1
Level 1

‎01-07-2016 10:53 PM - edited ‎03-08-2019 03:20 AM

Hi,

I want to block unicast/multicast flooding on cisco 6509 (only L2 capabilities).

The packets destined for a mac not known to the switch are unicast/multicast flooded to all ports of the switch, but I have a couple of ports connected to critical servers which should not get these packets.
I tried blocking the multicast and unicast (switchport block multicast) but it does block ping from local network also.

switchport block multicast

switchport block unicast


How can I stop just that flooding of packet to these couple of ports ?

Thanks

3 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to bhushit17

‎01-11-2016 12:36 PM

Well done.  The other option is to create a new layer 3 subnet, and a new VLAN, and put the Microsoft NLB into that.  Then the flooding will be limited to only ports in that VLAN.

View solution in original post

0 Helpful

Go to solution
chsarkar
Cisco Employee
Cisco Employee
In response to bhushit17

‎01-12-2016 07:40 AM

Hi Bhushit17,

Ok, if you have implemented NLB in Unicast Mode, it is recommended that you use a dedicated VLAN for NLB so that the flooding is constrained.

More explanation below :

Unicast Mode

  • In Unicast mode, NLB replaces the actual Media Access Control (MAC) address of each server in the cluster with a common NLB MAC address. When all of the servers in the cluster have the same MAC address, all of the packets that are forwarded to that address are sent to all of the members in the cluster. The NLB creates a fictitious MAC address and assigns it to each server in the NLB cluster. The NLB assigns each NLB server a different fictitious MAC address, based on the host ID of the member. This address appears in the Ethernet frame header.

  • The MAC address is used in the Address Resolution Protocol (ARP) header, not the Ethernet header. The switch uses the MAC address in the Ethernet header, not the ARP header. This causes an issue when a packet is sent to the NLB cluster with the destination MAC address as the cluster MAC address 00-bf-ac-10-00-01. The switch views the Content Addressable Memory (CAM) table for the MAC address 00-bf-ac-10-00-01, and since there is no port registered with the NLB cluster MAC address 00-bf-ac-10-00-01, the frame is delivered to all of the switch ports. This introduces unicast floodingIn order to avoid flooding, Cisco recommends that you use a dedicated VLAN for NLB so that the flooding is constrained.

Good read below :

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/107995-configure-nlb-00.html

Hope this helps you !

Mark it useful if you feel so.

Cheers ! :)

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-07-2016 11:01 PM

<snip> Oops, got that wrong.  I would have tried the approach you already have.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-07-2016 11:02 PM

It should only block a "ping" to a host it has not yet seen.  As soon as the host "talks" it should work.

0 Helpful

Go to solution
bhushit17
Level 1
Level 1
In response to Philip D'Ath

‎01-07-2016 11:29 PM

Yes it should, but this isn't happening unless I start the ping before putting the command:

switchport block multicast

I think arp resolution isn't possible after the command.

0 Helpful

Go to solution
chsarkar
Cisco Employee
Cisco Employee
In response to bhushit17

‎01-10-2016 08:10 AM

Hello,

If switch has to re-learn the server mac,  it has to floods packets with unknown destination MAC addresses to all ports.. Having said that, if you block unicst/mcast flood to those ports, then it wont learn and put mac entry.

I would not advise you to go for blocking uncst/mcast flood pkts, unless you know there wont be any situation of mac ageing out. 

Hope it helps !

Cheers ... :)

0 Helpful

Go to solution
bhushit17
Level 1
Level 1
In response to chsarkar

‎01-11-2016 02:59 AM

Hi Chsarkar,

Actually I have Microsoft Network Load Balancer connected to this same switch, and there is Multicast mac configured in that NLB, now since this is only an L2 switch, no mac has been learnt by this switch hence this flooding.

Now I am trying to configure static mac for this NLB on switch, hope it will solve my problem.

Thanks,

Cheers :)

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to bhushit17

‎01-11-2016 12:36 PM

Well done.  The other option is to create a new layer 3 subnet, and a new VLAN, and put the Microsoft NLB into that.  Then the flooding will be limited to only ports in that VLAN.

0 Helpful

Go to solution
chsarkar
Cisco Employee
Cisco Employee
In response to bhushit17

‎01-12-2016 07:40 AM

Hi Bhushit17,

Ok, if you have implemented NLB in Unicast Mode, it is recommended that you use a dedicated VLAN for NLB so that the flooding is constrained.

More explanation below :

Unicast Mode

  • In Unicast mode, NLB replaces the actual Media Access Control (MAC) address of each server in the cluster with a common NLB MAC address. When all of the servers in the cluster have the same MAC address, all of the packets that are forwarded to that address are sent to all of the members in the cluster. The NLB creates a fictitious MAC address and assigns it to each server in the NLB cluster. The NLB assigns each NLB server a different fictitious MAC address, based on the host ID of the member. This address appears in the Ethernet frame header.

  • The MAC address is used in the Address Resolution Protocol (ARP) header, not the Ethernet header. The switch uses the MAC address in the Ethernet header, not the ARP header. This causes an issue when a packet is sent to the NLB cluster with the destination MAC address as the cluster MAC address 00-bf-ac-10-00-01. The switch views the Content Addressable Memory (CAM) table for the MAC address 00-bf-ac-10-00-01, and since there is no port registered with the NLB cluster MAC address 00-bf-ac-10-00-01, the frame is delivered to all of the switch ports. This introduces unicast floodingIn order to avoid flooding, Cisco recommends that you use a dedicated VLAN for NLB so that the flooding is constrained.

Good read below :

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/107995-configure-nlb-00.html

Hope this helps you !

Mark it useful if you feel so.

Cheers ! :)

0 Helpful

Go to solution
bhushit17
Level 1
Level 1
In response to chsarkar

‎01-16-2016 05:07 AM

Hi,

Configuring static mac does the job for me:),  although I can put the NLB in different vlan, that option should however be more apt before NLB implementation.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card