Switchport based filtering of multicast packets

d-fillmore · ‎06-25-2008

Hi, I have a multi-tiered application, with the tiers communicating with each other through contexts on a FWSM in a 6500. The servers in each tier have a requirement to communicate directly with each other using multicast and as such they each have an interface in a VLAN dedicated to this multicasting. The is an obvious security risk as if one of the servers is compromised, they can communicate directly with the other servers on the multicast vlan.

I need some way of applying layer 2 filtering on the switcports that are in this multicast vlan, so that only multicast traffic can pass through them.

The only ways I can think of doing this, are to use VACLs which specify the source and multicast IP addresses, port based extended MAC ACLs or the other thing I've come accross is the 'switchport block unicast' command. I'm having a bit of trouble understanding this commmand. Is anyone able to advise on the best way to achieve this?

Many Thanks in advance

Dom

mchin345 · ‎07-01-2008

switchport block unicast --This command blocks unknown unicast forwarding to the port and Enables UUFB(Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN.) on the port.

d-fillmore · ‎07-08-2008

Thanks - How does it define unknown unicast traffic. My requirement is for only multicast traffic to flow, not unicast.

Cheers, Dom

Nagendra Kumar Nainar · ‎07-08-2008

When the destination MAC is not in its forwarding table (MAC-ADDRESS-TABLE), it is unknown unicast and will flood the traffic to all ports except the source port.

HTH,

Nagendra