Cisco Nexus 1000V Security Configuration Guide, Release 4.2(1)SV2(2.1)
Blocking Unknown Unicast Flooding
Downloads: This chapterpdf (PDF - 1.28MB) The complete bookPDF (PDF - 5.41MB) | The complete bookePub (ePub - 1.45MB) | Feedback

Blocking Unknown Unicast Flooding

Blocking Unknown Unicast Flooding

This chapter contains the following sections:

Information About UUFB

Unknown unicast packet flooding (UUFB) limits unknown unicast flooding in the forwarding path to prevent the security risk of unwanted traffic reaching the Virtual Machines (VMs). UUFB prevents packets received on both vEthernet and Ethernet interfaces destined to unknown unicast addresses from flooding the VLAN. When UUFB is applied, Virtual Ethernet Modules (VEMs) drop unknown unicast packets received on uplink ports, while unknown unicast packets received on vEthernet interfaces are sent out only on uplink ports.

After you disable unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

You can also configure an interface or a port profile to never allow unknown unicasts to be blocked.

Guidelines and Limitations for UUFB

  • Before configuring UUFB, make sure that the VSM HA pair and all VEMs have been upgraded to the latest release by entering the show module command.
  • You must explicitly disable UUFB on virtual service domain (VSD) ports. You can disable UUFB in the VSD port profiles.
  • You must explicitly disable UUFB on the ports of an application or VM by using MAC addresses other than the one given by VMware.
  • You can configure an interface to make sure that an unknown unicast is never blocked.
  • Unknown unicast packets are dropped by Cisco UCS fabric interconnects when Cisco UCS is running in end-host-mode.
  • On Microsoft Network Load Balancing (MS-NLB) enabled vEthernet interfaces (by entering the no mac auto-static-learn command), UUFB does not block MS-NLB related packets. In these scenarios, UUFB can be used to limit flooding of MS-NLB packets to non-MS-NLB ports within a VLAN.

Default Settings for UUFB

Parameters

Default

uufb enable

Disabled

switchport uufb disable

Disabled

Configuring UUFB

Blocking Unknown Unicast Flooding Globally on the Switch

You can globally block unknown unicast packets from flooding the forwarding path for the switch.

Before You Begin

Log in to the CLI in EXEC mode.

Procedure
     Command or ActionPurpose
    Step 1 switch# configure terminal 

    Enables global configuration mode.

     
    Step 2switch(config)# [no] uufb enable 

    Configures UUFB globally for the VSM.

     
    Step 3switch(config)# show uufb status  (Optional)

    Displays the UUFB global setting for the VSM.

     
    Step 4switch(config)# copy running-config startup-config  (Optional)

    Copies the running configuration to the startup configuration.

     

    This example shows how to block unknown unicast flooding globally:

    switch# configure terminal
    switch(config)# uufb enable
    switch(config)# show uufb status
    UUFB Status: Enabled
    switch(config)# copy running-config startup-config
    [########################################] 100%
    

    Configuring an Interface to Allow Unknown Unicast Flooding

    You can allow unknown unicast packets to flood a vEthernet interface if you have blocked flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific interface, regardless of the global setting.

    If you have previously blocked unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

    Before You Begin

    Log in to the CLI in EXEC mode.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

       
      Step 2switch(config)# interface vethernet interface-number 

      Places you in interface configuration mode for the specified interface.

       
      Step 3switch(config)# [no] switchport uufb disable 

      Disables blocking of unicast packet flooding for the named interface.

       
      Step 4switch(config)# show running-config vethernet interface-number  (Optional)

      Displays the running configuration for the interface for verification.

       
      Step 5switch(config)# copy running-config startup-config  (Optional)

      Copies the running configuration to the startup configuration.

       

      This example shows how to configure an interface to allow unknown unicast flooding:

      switch# configure terminal
      switch(config)# interface vethernet 100
      switch(config-if)# switchport uufb disable
      switch(config-if)# show running-config interface veth100
      
      !Command: show running-config interface Vethernet100
      !Time: Fri Jun 10 12:43:53 2011
      
      version 4.2(1)SV1(4a)
      
      interface Vethernet100
        description accessvlan
        switchport access vlan 30
        switchport uufb disable
      switch(config-if)# copy running-config startup-config
      [########################################] 100%

      Configuring a Port Profile to Allow Unknown Unicast Flooding

      You can allow unknown unicast packets to flood the interfaces in an existing vEthernet port profile if you have disabled unicast flooding globally for the VSM. You can also make sure unknown unicast packets are never blocked on a specific port profile, regardless of the global setting.

      If you have previously blocked unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.

      Before You Begin
      • Log in to the CLI in EXEC mode.
      • Configure the vEthernet port profile for which you want to allow flooding.
      Procedure
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Enters global configuration mode.

         
        Step 2 switch(config)# port-profile profile-name 

        Places you in configuration mode for the named port profile.

         
        Step 3switch(config-port-prof)# [no] switchport uufb disable 

        Disables blocking of unicast packet flooding for all interfaces the named port profile.

         
        Step 4switch(config-port-prof)# show running-config port-profile profile-name  (Optional)

        Displays the configuration for the named port profile for verification.

         
        Step 5switch(config-port-prof)# copy running-config startup-config  (Optional)

        Copies the running configuration to the startup configuration.

         

        This example shows how to configure a port profile to allow unknown unicast flooding:

        switch# configure terminal
        switch(config)# port-profile accessprof
        switch(config-port-prof)# switchport uufb disable
        switch(config-port-prof)# show running-config port-profile accessprof
        
        !Command: show running-config port-profile accessprof
        !Time: Fri Jun 10 12:06:38 2011
        
        version 4.2(1)SV1(4a)
        port-profile type vethernet accessprof
          vmware port-group
          switchport mode access
          switchport access vlan 300
          switchport uufb disable
          no shutdown
          description all_access
        switch(config-port-prof)# copy running-config startup-config
        [########################################] 100%
        

        Configuration Example for Blocking Unknown Unicast Packets

        This example shows how to block unknown unicast packets from flooding the forwarding path globally for the VSM:

        n1000v# config terminal
        n1000v(config)# uufb enable
        n1000v(config)# show uufb status
        UUFB Status: Enabled
        n1000v(config)# copy running-config startup-config
        [########################################] 100%

        Feature History for UUFB

        This table only includes updates for those releases that have resulted in additions to the feature.

        Feature Name

        Releases

        Feature Information

        UUFB

        4.2(1)SV1(4a)

        This feature was introduced.