Friday, January 9, 2009

Blocking traffic to random unicast MAC addresses

Ran into this command today. Never even knew about it:

Rack1SW1(config)#int f0/22
Rack1SW1(config-if)#switchport ?
access Set access mode characteristics of the interface
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes


Rack1SW1(config-if)#switchport block unicast
Rack1SW1(config-if)#switchport block multicast


From the DocCD:

"By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports."

Configuring Port Blocking

1 comment:

  1. does any one had an issue with this command while forwarding ipv6 ND NS frames ?

    thanks
    kikino

    ReplyDelete

Note: Only a member of this blog may post a comment.