- Preface
- New and Changed Information
- Overview
- Managing User Accounts
- Configuring VSD
- Configuring AAA
- Configuring RADIUS
- Configuring TACACS+
- Configuring SSH
- Configuring Telnet
- Configuring IP ACLs
- Configuring MAC ACLs
- Configuring Port Security
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring IP Source Guard
- Disabling the HTTP Server
- Blocking Unknown Unicast Flooding
- Configuring Cisco TrustSec
- Index
Contents
- Blocking Unknown Unicast Flooding
- Information About UUFB
- Guidelines and Limitations for UUFB
- Default Settings for UUFB
- Configuring UUFB
- Blocking Unknown Unicast Flooding Globally on the Switch
- Configuring an Interface to Allow Unknown Unicast Flooding
- Configuring a Port Profile to Allow Unknown Unicast Flooding
- Configuration Example for Blocking Unknown Unicast Packets
- Feature History for UUFB
Blocking Unknown Unicast Flooding
This chapter contains the following sections:
- Information About UUFB
- Guidelines and Limitations for UUFB
- Default Settings for UUFB
- Configuring UUFB
- Configuration Example for Blocking Unknown Unicast Packets
- Feature History for UUFB
Information About UUFB
Unknown unicast packet flooding (UUFB) limits unknown unicast flooding in the forwarding path to prevent the security risk of unwanted traffic reaching the Virtual Machines (VMs). UUFB prevents packets received on both vEthernet and Ethernet interfaces destined to unknown unicast addresses from flooding the VLAN. When UUFB is applied, Virtual Ethernet Modules (VEMs) drop unknown unicast packets coming in on the uplink ports.
After you disable unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.
You can also configure an interface or a port profile to never allow unknown unicasts to be blocked.
Guidelines and Limitations for UUFB
Before configuring UUFB, make sure that the VSM HA pair and all VEMs have been upgraded to the latest release by entering the show module command.
You must explicitly disable UUFB on virtual service domain (VSD) ports. You can disable UUFB in the VSD port profiles.
You must explicitly disable UUFB on the ports of an application or VM by using MAC addresses other than the one given by VMware.
You can configure an interface to make sure that an unknown unicast is never blocked.
Unknown unicast packets are dropped by Cisco UCS fabric interconnects when Cisco UCS is running in end-host-mode.
On Microsoft Network Load Balancing (MS-NLB) enabled vEthernet interfaces (by entering the no mac auto-static-learn command), UUFB does not block MS-NLB related packets. In these scenarios, UUFB can be used to limit flooding of MS-NLB packets to non-MS-NLB ports within a VLAN.
Default Settings for UUFB
Parameters |
Default |
---|---|
uufb enable |
Disabled |
switchport uufb disable |
Disabled |
Configuring UUFB
Blocking Unknown Unicast Flooding Globally on the Switch
You can globally block unknown unicast packets from flooding the forwarding path for the switch.
Log in to the CLI in EXEC mode.
This example shows how to block unknown unicast flooding globally:
switch# configure terminal switch(config)# uufb enable switch(config)# show uufb status UUFB Status: Enabled switch(config)# copy running-config startup-config [########################################] 100%
Configuring an Interface to Allow Unknown Unicast Flooding
You can allow unknown unicast packets to flood a vEthernet interface if you have blocked flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific interface, regardless of the global setting.
If you have previously blocked unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.
Log in to the CLI in EXEC mode.
This example shows how to configure an interface to allow unknown unicast flooding:
switch# configure terminal switch(config)# interface vethernet 100 switch(config-if)# switchport uufb disable switch(config-if)# show running-config interface veth100 !Command: show running-config interface Vethernet100 !Time: Fri Jun 10 12:43:53 2011 version 4.2(1)SV1(4a) interface Vethernet100 description accessvlan switchport access vlan 30 switchport uufb disable switch(config-if)# copy running-config startup-config [########################################] 100%
Configuring a Port Profile to Allow Unknown Unicast Flooding
You can allow unknown unicast packets to flood the interfaces in an existing vEthernet port profile if you have disabled unicast flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific port profile, regardless of the global setting.
If you have previously blocked unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.
This example shows how to configure a port profile to allow unknown unicast flooding:
switch# configure terminal switch(config)# port-profile accessprof switch(config-port-prof)# switchport uufb disable switch(config-port-prof)# show running-config port-profile accessprof !Command: show running-config port-profile accessprof !Time: Fri Jun 10 12:06:38 2011 version 4.2(1)SV1(4a) port-profile type vethernet accessprof vmware port-group switchport mode access switchport access vlan 300 switchport uufb disable no shutdown description all_access switch(config-port-prof)# copy running-config startup-config [########################################] 100%
Configuration Example for Blocking Unknown Unicast Packets
This example shows how to block unknown unicast packets from flooding the forwarding path globally for the VSM:
n1000v# config terminal n1000v(config)# uufb enable n1000v(config)# show uufb status UUFB Status: Enabled n1000v(config)# copy running-config startup-config [########################################] 100%
Feature History for UUFB
This table only includes updates for those releases that have resulted in additions to the feature.
Feature Name |
Releases |
Feature Information |
---|---|---|
UUFB |
4.2(1)SV1(4a) |
This feature was introduced. |