Re: blocking unknown unicast or multicast traffic

adavenport · ‎11-17-2006

Would anyone like to comment on the pros and/or cons of blocking the flooding of unknown unicast or multicast traffic?

On a lan with perhaps as many 650 hosts, I am observing some (relatively small) amount of this. Just wondered about the consequences of blocking it.

TIA,

Roger

amit-singh · ‎11-17-2006

Hi Roger,

Blocking the flooding of Unknown unicast and multicast traffic works in conjuction with the protected ports on the switch.

A protected port is the one where at layer2 one port on the switch doesnot send unicast/broadcast or multicast traffic to other ports. This is basically used to design the layer 2 security/sgementation purposes where you dont want the switcports to talk to each other or see the traffic from other ports.If unknown unicast/multicast is there, then the switch will flood that packet to everyport on this switch and even to protected ports. This can led to some security issues on the switch, that's why we block the unknown unicast and multicast traffic on the switch ports.

To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.

Switch# configure terminal

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# switchport block multicast

Switch(config-if)# switchport block unicast

Switch(config-if)# end

If you have a huge broadcast/unicast or multicast storm on your network then you can use Strom control feature on the switch.Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/12225see/scg/swtrafc.htm

HTH,

-amit singh