Contents

Blocking Unknown Unicast Flooding

This chapter contains the following sections:

Information About UUFB

Unknown unicast packet flooding (UUFB) limits unknown unicast flooding in the forwarding path to prevent the security risk of unwanted traffic reaching the Virtual Machines (VMs). UUFB prevents packets received on both vEthernet and Ethernet interfaces destined to unknown unicast addresses from flooding the VLAN. When UUFB is applied, Virtual Ethernet Modules (VEMs) drop unknown unicast packets coming in on the uplink ports.

After you disable unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

You can also configure an interface or a port profile to never allow unknown unicasts to be blocked.

Guidelines and Limitations for UUFB

  • Before configuring UUFB, make sure that the VSM HA pair and all VEMs have been upgraded to the latest release by entering the show module command.

  • You must explicitly disable UUFB on virtual service domain (VSD) ports. You can disable UUFB in the VSD port profiles.

  • You must explicitly disable UUFB on the ports of an application or VM by using MAC addresses other than the one given by VMware.

  • You can configure an interface to make sure that an unknown unicast is never blocked.

  • Unknown unicast packets are dropped by Cisco UCS fabric interconnects when Cisco UCS is running in end-host-mode.

  • On Microsoft Network Load Balancing (MS-NLB) enabled vEthernet interfaces (by entering the no mac auto-static-learn command), UUFB does not block MS-NLB related packets. In these scenarios, UUFB can be used to limit flooding of MS-NLB packets to non-MS-NLB ports within a VLAN.

Default Settings for UUFB

Parameters

Default

uufb enable

Disabled

switchport uufb disable

Disabled

Configuring UUFB

Blocking Unknown Unicast Flooding Globally on the Switch

You can globally block unknown unicast packets from flooding the forwarding path for the switch.

Before You Begin

Log in to the CLI in EXEC mode.

Procedure
     Command or ActionPurpose
    Step 1 switch# configure terminal 

    Enables global configuration mode.

     
    Step 2switch(config)# [no] uufb enable 

    Configures UUFB globally for the VSM.

     
    Step 3switch(config)# show uufb status  (Optional)

    Displays the UUFB global setting for the VSM.

     
    Step 4switch(config)# copy running-config startup-config  (Optional)

    Copies the running configuration to the startup configuration.

     

    This example shows how to block unknown unicast flooding globally:

    switch# configure terminal
switch(config)# uufb enable
switch(config)# show uufb status
UUFB Status: Enabled
switch(config)# copy running-config startup-config
[########################################] 100%

    Configuring an Interface to Allow Unknown Unicast Flooding

    You can allow unknown unicast packets to flood a vEthernet interface if you have blocked flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific interface, regardless of the global setting.

    If you have previously blocked unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

    Before You Begin

    Log in to the CLI in EXEC mode.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

       
      Step 2switch(config)# interface vethernet interface-number 

      Places you in interface configuration mode for the specified interface.

       
      Step 3switch(config)# [no] switchport uufb disable 

      Disables blocking of unicast packet flooding for the named interface.

       
      Step 4switch(config)# show running-config vethernet interface-number  (Optional)

      Displays the running configuration for the interface for verification.

       
      Step 5switch(config)# copy running-config startup-config  (Optional)

      Copies the running configuration to the startup configuration.

       

      This example shows how to configure an interface to allow unknown unicast flooding:

      switch# configure terminal
switch(config)# interface vethernet 100
switch(config-if)# switchport uufb disable
switch(config-if)# show running-config interface veth100

!Command: show running-config interface Vethernet100
!Time: Fri Jun 10 12:43:53 2011

version 4.2(1)SV1(4a)

interface Vethernet100
  description accessvlan
  switchport access vlan 30
  switchport uufb disable
switch(config-if)# copy running-config startup-config
[########################################] 100%

      Configuring a Port Profile to Allow Unknown Unicast Flooding

      You can allow unknown unicast packets to flood the interfaces in an existing vEthernet port profile if you have disabled unicast flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific port profile, regardless of the global setting.

      If you have previously blocked unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.

      Before You Begin

      • Log in to the CLI in EXEC mode.

      • Configure the vEthernet port profile for which you want to allow flooding.

      Procedure
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Enters global configuration mode.

         
        Step 2 switch(config)# port-profile profile-name 

        Places you in configuration mode for the named port profile.

         
        Step 3switch(config-port-prof)# [no] switchport uufb disable 

        Disables blocking of unicast packet flooding for all interfaces the named port profile.

         
        Step 4switch(config-port-prof)# show running-config port-profile profile-name  (Optional)

        Displays the configuration for the named port profile for verification.

         
        Step 5switch(config-port-prof)# copy running-config startup-config  (Optional)

        Copies the running configuration to the startup configuration.

         

        This example shows how to configure a port profile to allow unknown unicast flooding:

        switch# configure terminal
switch(config)# port-profile accessprof
switch(config-port-prof)# switchport uufb disable
switch(config-port-prof)# show running-config port-profile accessprof

!Command: show running-config port-profile accessprof
!Time: Fri Jun 10 12:06:38 2011

version 4.2(1)SV1(4a)
port-profile type vethernet accessprof
  vmware port-group
  switchport mode access
  switchport access vlan 300
  switchport uufb disable
  no shutdown
  description all_access
switch(config-port-prof)# copy running-config startup-config
[########################################] 100%

        Configuration Example for Blocking Unknown Unicast Packets

        This example shows how to block unknown unicast packets from flooding the forwarding path globally for the VSM:

        n1000v# config terminal
n1000v(config)# uufb enable
n1000v(config)# show uufb status
UUFB Status: Enabled
n1000v(config)# copy running-config startup-config
[########################################] 100%

        Feature History for UUFB

        This table only includes updates for those releases that have resulted in additions to the feature.

        Feature Name

        Releases

        Feature Information

        UUFB

        4.2(1)SV1(4a)

        This feature was introduced.
        Blocking Unknown Unicast Flooding

        Blocking Unknown Unicast Flooding

        This chapter contains the following sections:

        Information About UUFB

        Unknown unicast packet flooding (UUFB) limits unknown unicast flooding in the forwarding path to prevent the security risk of unwanted traffic reaching the Virtual Machines (VMs). UUFB prevents packets received on both vEthernet and Ethernet interfaces destined to unknown unicast addresses from flooding the VLAN. When UUFB is applied, Virtual Ethernet Modules (VEMs) drop unknown unicast packets coming in on the uplink ports.

        After you disable unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

        You can also configure an interface or a port profile to never allow unknown unicasts to be blocked.

        Guidelines and Limitations for UUFB

        • Before configuring UUFB, make sure that the VSM HA pair and all VEMs have been upgraded to the latest release by entering the show module command.

        • You must explicitly disable UUFB on virtual service domain (VSD) ports. You can disable UUFB in the VSD port profiles.

        • You must explicitly disable UUFB on the ports of an application or VM by using MAC addresses other than the one given by VMware.

        • You can configure an interface to make sure that an unknown unicast is never blocked.

        • Unknown unicast packets are dropped by Cisco UCS fabric interconnects when Cisco UCS is running in end-host-mode.

        • On Microsoft Network Load Balancing (MS-NLB) enabled vEthernet interfaces (by entering the no mac auto-static-learn command), UUFB does not block MS-NLB related packets. In these scenarios, UUFB can be used to limit flooding of MS-NLB packets to non-MS-NLB ports within a VLAN.

        Default Settings for UUFB

        Parameters

        Default

        uufb enable

        Disabled

        switchport uufb disable

        Disabled

        Configuring UUFB

        Blocking Unknown Unicast Flooding Globally on the Switch

        You can globally block unknown unicast packets from flooding the forwarding path for the switch.

        Before You Begin

        Log in to the CLI in EXEC mode.

        Procedure
           Command or ActionPurpose
          Step 1 switch# configure terminal 

          Enables global configuration mode.

           
          Step 2switch(config)# [no] uufb enable 

          Configures UUFB globally for the VSM.

           
          Step 3switch(config)# show uufb status  (Optional)

          Displays the UUFB global setting for the VSM.

           
          Step 4switch(config)# copy running-config startup-config  (Optional)

          Copies the running configuration to the startup configuration.

           

          This example shows how to block unknown unicast flooding globally:

          switch# configure terminal
switch(config)# uufb enable
switch(config)# show uufb status
UUFB Status: Enabled
switch(config)# copy running-config startup-config
[########################################] 100%

          Configuring an Interface to Allow Unknown Unicast Flooding

          You can allow unknown unicast packets to flood a vEthernet interface if you have blocked flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific interface, regardless of the global setting.

          If you have previously blocked unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

          Before You Begin

          Log in to the CLI in EXEC mode.

          Procedure
             Command or ActionPurpose
            Step 1switch# configure terminal  

            Enters global configuration mode.

             
            Step 2switch(config)# interface vethernet interface-number 

            Places you in interface configuration mode for the specified interface.

             
            Step 3switch(config)# [no] switchport uufb disable 

            Disables blocking of unicast packet flooding for the named interface.

             
            Step 4switch(config)# show running-config vethernet interface-number  (Optional)

            Displays the running configuration for the interface for verification.

             
            Step 5switch(config)# copy running-config startup-config  (Optional)

            Copies the running configuration to the startup configuration.

             

            This example shows how to configure an interface to allow unknown unicast flooding:

            switch# configure terminal
switch(config)# interface vethernet 100
switch(config-if)# switchport uufb disable
switch(config-if)# show running-config interface veth100

!Command: show running-config interface Vethernet100
!Time: Fri Jun 10 12:43:53 2011

version 4.2(1)SV1(4a)

interface Vethernet100
  description accessvlan
  switchport access vlan 30
  switchport uufb disable
switch(config-if)# copy running-config startup-config
[########################################] 100%

            Configuring a Port Profile to Allow Unknown Unicast Flooding

            You can allow unknown unicast packets to flood the interfaces in an existing vEthernet port profile if you have disabled unicast flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific port profile, regardless of the global setting.

            If you have previously blocked unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.

            Before You Begin

            • Log in to the CLI in EXEC mode.

            • Configure the vEthernet port profile for which you want to allow flooding.

            Procedure
               Command or ActionPurpose
              Step 1switch# configure terminal  

              Enters global configuration mode.

               
              Step 2 switch(config)# port-profile profile-name 

              Places you in configuration mode for the named port profile.

               
              Step 3switch(config-port-prof)# [no] switchport uufb disable 

              Disables blocking of unicast packet flooding for all interfaces the named port profile.

               
              Step 4switch(config-port-prof)# show running-config port-profile profile-name  (Optional)

              Displays the configuration for the named port profile for verification.

               
              Step 5switch(config-port-prof)# copy running-config startup-config  (Optional)

              Copies the running configuration to the startup configuration.

               

              This example shows how to configure a port profile to allow unknown unicast flooding:

              switch# configure terminal
switch(config)# port-profile accessprof
switch(config-port-prof)# switchport uufb disable
switch(config-port-prof)# show running-config port-profile accessprof

!Command: show running-config port-profile accessprof
!Time: Fri Jun 10 12:06:38 2011

version 4.2(1)SV1(4a)
port-profile type vethernet accessprof
  vmware port-group
  switchport mode access
  switchport access vlan 300
  switchport uufb disable
  no shutdown
  description all_access
switch(config-port-prof)# copy running-config startup-config
[########################################] 100%

              Configuration Example for Blocking Unknown Unicast Packets

              This example shows how to block unknown unicast packets from flooding the forwarding path globally for the VSM:

              n1000v# config terminal
n1000v(config)# uufb enable
n1000v(config)# show uufb status
UUFB Status: Enabled
n1000v(config)# copy running-config startup-config
[########################################] 100%

              Feature History for UUFB

              This table only includes updates for those releases that have resulted in additions to the feature.

              Feature Name

              Releases

              Feature Information

              UUFB

              4.2(1)SV1(4a)

              This feature was introduced.