Switchport based filtering of multicast packets

Unanswered Question
Jun 25th, 2008
User Badges:

Hi, I have a multi-tiered application, with the tiers communicating with each other through contexts on a FWSM in a 6500. The servers in each tier have a requirement to communicate directly with each other using multicast and as such they each have an interface in a VLAN dedicated to this multicasting. The is an obvious security risk as if one of the servers is compromised, they can communicate directly with the other servers on the multicast vlan.

I need some way of applying layer 2 filtering on the switcports that are in this multicast vlan, so that only multicast traffic can pass through them.

The only ways I can think of doing this, are to use VACLs which specify the source and multicast IP addresses, port based extended MAC ACLs or the other thing I've come accross is the 'switchport block unicast' command. I'm having a bit of trouble understanding this commmand. Is anyone able to advise on the best way to achieve this?


Many Thanks in advance

Dom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Tue, 07/01/2008 - 12:27
User Badges:
  • Silver, 250 points or more

switchport block unicast --This command blocks unknown unicast forwarding to the port and Enables UUFB(Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN.) on the port.


d-fillmore Tue, 07/08/2008 - 04:35
User Badges:

Thanks - How does it define unknown unicast traffic. My requirement is for only multicast traffic to flow, not unicast.

Cheers, Dom

Nagendra Kumar ... Tue, 07/08/2008 - 04:53
User Badges:
  • Cisco Employee,

When the destination MAC is not in its forwarding table (MAC-ADDRESS-TABLE), it is unknown unicast and will flood the traffic to all ports except the source port.


HTH,

Nagendra

Actions

This Discussion