Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Switchport based filtering of multicast packets

Hi, I have a multi-tiered application, with the tiers communicating with each other through contexts on a FWSM in a 6500. The servers in each tier have a requirement to communicate directly with each other using multicast and as such they each have an interface in a VLAN dedicated to this multicasting. The is an obvious security risk as if one of the servers is compromised, they can communicate directly with the other servers on the multicast vlan.

I need some way of applying layer 2 filtering on the switcports that are in this multicast vlan, so that only multicast traffic can pass through them.

The only ways I can think of doing this, are to use VACLs which specify the source and multicast IP addresses, port based extended MAC ACLs or the other thing I've come accross is the 'switchport block unicast' command. I'm having a bit of trouble understanding this commmand. Is anyone able to advise on the best way to achieve this?

Many Thanks in advance

Dom

3 REPLIES
Silver

Re: Switchport based filtering of multicast packets

switchport block unicast --This command blocks unknown unicast forwarding to the port and Enables UUFB(Unknown unicast traffic is flooded to all Layer 2 ports in a VLAN.) on the port.

New Member

Re: Switchport based filtering of multicast packets

Thanks - How does it define unknown unicast traffic. My requirement is for only multicast traffic to flow, not unicast.

Cheers, Dom

Cisco Employee

Re: Switchport based filtering of multicast packets

When the destination MAC is not in its forwarding table (MAC-ADDRESS-TABLE), it is unknown unicast and will flood the traffic to all ports except the source port.

HTH,

Nagendra

126
Views
0
Helpful
3
Replies