06-25-2008 05:46 AM - edited 03-05-2019 11:48 PM
Hi, I have a multi-tiered application, with the tiers communicating with each other through contexts on a FWSM in a 6500. The servers in each tier have a requirement to communicate directly with each other using multicast and as such they each have an interface in a VLAN dedicated to this multicasting. The is an obvious security risk as if one of the servers is compromised, they can communicate directly with the other servers on the multicast vlan.
I need some way of applying layer 2 filtering on the switcports that are in this multicast vlan, so that only multicast traffic can pass through them.
The only ways I can think of doing this, are to use VACLs which specify the source and multicast IP addresses, port based extended MAC ACLs or the other thing I've come accross is the 'switchport block unicast' command. I'm having a bit of trouble understanding this commmand. Is anyone able to advise on the best way to achieve this?
Many Thanks in advance
Dom
07-01-2008 12:27 PM
switchport block unicast --This command blocks unknown unicast forwarding to the port and Enables UUFB(Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN.) on the port.
07-08-2008 04:35 AM
Thanks - How does it define unknown unicast traffic. My requirement is for only multicast traffic to flow, not unicast.
Cheers, Dom
07-08-2008 04:53 AM
When the destination MAC is not in its forwarding table (MAC-ADDRESS-TABLE), it is unknown unicast and will flood the traffic to all ports except the source port.
HTH,
Nagendra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide