Configuring Port Blocking
Download this chapter
Configuring Port BlockingConfiguring Port Blocking
 Feedback

Configuring Port Blocking

This module contains the following topics:

Information About Port Blocking

Port Blocking

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.


Note

With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.

How to Configure Port Blocking

Blocking Flooded Traffic on an Interface

Before You Begin

The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.

SUMMARY STEPS

    1.    configure terminal

    2.    interface interface-id

    3.    switchport block multicast

    4.    switchport block unicast

    5.    end

    6.    show interfaces interface-id switchport

    7.    copy running-config startup-config


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal


    Example:
    
Switch# configure terminal
     

    Enters global configuration mode.

     
    Step 2interface interface-id


    Example:
    
Switch(config)# interface gigabitethernet1/0/1
     

    Specifies the interface to be configured, and enter interface configuration mode.

     
    Step 3switchport block multicast


    Example:
    
Switch(config-if)# switchport block multicast
     

    Blocks unknown multicast forwarding out of the port.

    Note   

    Only pure Layer 2 multicast traffic is blocked. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked.

     
    Step 4switchport block unicast


    Example:
    
Switch(config-if)# switchport block unicast
     

    Blocks unknown unicast forwarding out of the port.

     
    Step 5end


    Example:
    
Switch(config-if)# end
     

    Returns to privileged EXEC mode.

     
    Step 6show interfaces interface-id switchport


    Example:
    
Switch# show interfaces gigabitethernet1/0/1 switchport
     

    Verifies your entries.

     
    Step 7copy running-config startup-config


    Example:
    
Switch# copy running-config startup-config
     

    (Optional) Saves your entries in the configuration file.

     

    Monitoring Port Blocking

    Table 1 Commands for Displaying Port Blocking Settings

    Command

    Purpose

    show interfaces [interface-id] switchport

    Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.