Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1)
Blocking Unknown Unicast Flooding
Download this chapter
Blocking Unknown Unicast FloodingBlocking Unknown Unicast Flooding
Download the complete book
Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1)Cisco Nexus 1000V Security Configuration Guide, 4.2(1)SV2(1.1) (PDF - 5 MB)
 Feedback

Blocking Unknown Unicast Flooding

This chapter contains the following sections:

Information About UUFB

Unknown unicast packet flooding (UUFB) limits unknown unicast flooding in the forwarding path to prevent the security risk of unwanted traffic reaching the VMs. UUFB prevents packets received on both vEthernet and Ethernet interfaces destined to unknown unicast addresses from flooding the VLAN. When UUFB is applied, VEMs drop unknown unicast packets coming in on the uplink ports.

After you disable unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.

You can also configure an interface or a port profile to never allow unknown unicasts to be blocked.

Guidelines and Limitations for UUFB

  • Before configuring UUFB, make sure the VSM HA pair and all VEMs have been upgraded to the latest release by entering the show module command.
  • You must explicitly disable UUFB on virtual service domain (VSD) ports. This can be done in the VSD port profiles.
  • You must explicitly disable UUFB on the ports of an application or VM using MAC addresses other than the one given by VMwareMicrosoft.
  • You can configure an interface to make sure that an unknown unicast is never blocked.
  • Unknown Unicast packets will be dropped by UCS-Fabric Interconnect when Unified Computing and Servers (UCS) is running in End-Host-Mode.
  • On Microsoft Network Load Balancing (MS-NLB) enabled vEthernet interfaces ( no mac auto-static-learn), UUFB does not block MS-NLB related packets. In these scenarios, UUFB can be used to limit flooding of MS-NLB packets to non-MS-NLB ports within a VLAN.

Default Settings for UUFB

Parameters

Default

uufb enable

Disabled

switchport uufb disable

Disabled

Configuring UUFB

Blocking Unknown Unicast Flooding Globally on the Switch

Use this procedure to globally block unknown unicast packets from flooding the forwarding path for the switch.

Before You Begin

Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

Procedure
     Command or ActionPurpose
    Step 1 switch# configure terminal 

    Places you in global configuration mode.

     
    Step 2switch(config)# [no] uufb enable 

    Configures UUFB globally for the VSM.

     
    Step 3switch(config)# show uufb status  (Optional)

    Displays the UUFB global setting for the VSM.

     
    Step 4switch(config)# copy running-config startup-config  (Optional)

    Copies the running configuration to the startup configuration.

      
    switch# configure terminal
switch(config)# uufb enable
switch(config)# show uufb status
UUFB Status: Enabled
switch(config)# copy running-config startup-config
[########################################] 100%

    Configuring an Interface to Allow Unknown Unicast Flooding

    Use this procedure to allow unknown unicast packets to flood a vEthernet interface if you have blocked flooding globally for the VSM. You can also use this procedure to make sure unknown unicast packets are never blocked on a specific interface, regardless of the global setting.

    If you have previously blocked unknown unicast packets globally, you can allow unicast flooding on either a single interface or all interfaces in a port profile.

    Before You Begin

    Before beginning this procedure, you must be logged in to the CLI in EXEC mode.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Places you in global configuration mode.

       
      Step 2switch(config)# interface vethernet interface-number 

      Enters interface configuration mode for the specified interface.

       
      Step 3switch(config)# [no] switchport uufb disable 

      Disables blocking of unicast packet flooding for the named interface.

       
      Step 4switch(config)# show running-config vethernet interface-number  (Optional)

      Displays the running configuration for the interface for verification.

       
      Step 5switch(config)# copy running-config startup-config  (Optional)

      Copies the running configuration to the startup configuration.

        
      switch# configure terminal
switch(config)# interface vethernet 100
switch(config-if)# switchport uufb disable
switch(config-if)# show running-config interface veth100

!Command: show running-config interface Vethernet100
!Time: Fri Jun 10 12:43:53 2011

version 4.2(1)SV1(4a)

interface Vethernet100
  description accessvlan
  switchport access vlan 30
  switchport uufb disable
switch(config-if)# copy running-config startup-config
[########################################] 100%

      Configuring a Port Profile to Allow Unknown Unicast Flooding

      Use this procedure to allow unknown unicast packets to flood the interfaces in an existing vEthernet port profile if you have disabled unicast flooding globally for the VSM. You can also use this procedure to make sure unknown unicast packets are never blocked on a specific port profile, regardless of the global setting.

      If you have previously blocked unknown unicast packets globally, you can then allow unicast flooding on either a single interface or all interfaces in a port profile.

      Before You Begin

      Before beginning this procedure, be sure you have done the following:

      • Logged in to the CLI in EXEC mode.
      • Configured the vEthernet port profile for which you want to allow flooding.
      Procedure
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Places you in global configuration mode.

         
        Step 2 switch(config)# port-profile profile-name 

        Places you in configuration mode for the named port profile.

         
        Step 3switch(config-port-prof)# [no] switchport uufb disable 

        Disables blocking of unicast packet flooding for all interfaces the named port profile.

         
        Step 4switch(config-port-prof)# show running-config port-profile profile-name  (Optional)

        Displays the configuration for the named port profile for verification.

         
        Step 5switch(config-port-prof)# copy running-config startup-config  (Optional)

        Copies the running configuration to the startup configuration.

          
        switch# configure terminal
switch(config)# port-profile accessprof
switch(config-port-prof)# switchport uufb disable
switch(config-port-prof)# show running-config port-profile accessprof

!Command: show running-config port-profile accessprof
!Time: Fri Jun 10 12:06:38 2011

version 4.2(1)SV1(4a)
port-profile type vethernet accessprof
  vmware port-group
  switchport mode access
  switchport access vlan 300
  switchport uufb disable
  no shutdown
  description all_access
switch(config-port-prof)# copy running-config startup-config
[########################################] 100%

        Standards

        No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

        Configuration Example for Blocking Unknown Unicast Packets

        This example shows how to block unknown unicast packets from flooding the forwarding path globally for the VSM.

        n1000v# config terminal
n1000v(config)# uufb enable
n1000v(config)# show uufb status
UUFB Status: Enabled
n1000v(config)# copy running-config startup-config
[########################################] 100%

        Feature History for UUFB

        This table only includes updates for those releases that have resulted in additions to the feature.

        Feature Name

        Releases

        Feature Information

        UUFB

        4.2(1)SV1(4a)

        This feature was introduced.