Cisco Systems EA6500 Manual De Usuario
23-21
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 23 Configuring Network Security
Configuring Unicast Flood Protection
This example shows how to enable Unicast RPF exist-only checking mode on Gigabit Ethernet port 4/1:
Router(config)# interface gigabitethernet 4/1
Router(config-if)# ip verify unicast source reachable-via any
Router(config-if)# end
Router#
This example shows how to enable Unicast RPF strict checking mode on Gigabit Ethernet port 4/2:
Router(config)# interface gigabitethernet 4/2
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# end
Router#
This example shows how to verify the configuration:
Router# show running-config interface gigabitethernet 4/2
Building configuration...
Current configuration : 114 bytes
!
interface GigabitEthernet4/2
ip address 42.0.0.1 255.0.0.0
ip verify unicast reverse-path
no cdp enable
end
Router# show running-config interface gigabitethernet 4/1
Building configuration...
Current configuration : 114 bytes
!
interface GigabitEthernet4/1
ip address 41.0.0.1 255.0.0.0
ip verify unicast reverse-path (RPF mode on g4/1 also changed to strict-check RPF mode)
no cdp enable
end
Router#
Configuring Unicast Flood Protection
The unicast flood protection feature protects the system from disruptions caused by unicast flooding.
The Catalyst 6500 series switches use forwarding tables to direct traffic to specific ports based on the
VLAN number and the destination MAC address of the frame. When there is no entry corresponding to
the frame’s destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports
within the respective VLAN, which causes flooding. Limited flooding is part of the normal switching
process, but continuous flooding can cause adverse performance effects on the network.
The Catalyst 6500 series switches use forwarding tables to direct traffic to specific ports based on the
VLAN number and the destination MAC address of the frame. When there is no entry corresponding to
the frame’s destination MAC address in the incoming VLAN, the frame is sent to all forwarding ports
within the respective VLAN, which causes flooding. Limited flooding is part of the normal switching
process, but continuous flooding can cause adverse performance effects on the network.
When you enable the unicast flood protection feature, the system sends an alert when the rate limit has
been exceeded, filters the traffic, or shuts down the port generating the floods when it detects unknown
unicast floods exceeding a threshold.
been exceeded, filters the traffic, or shuts down the port generating the floods when it detects unknown
unicast floods exceeding a threshold.
To configure unicast flood protection, perform this task:
Command
Purpose
Step 1
Router(config)# [no] mac-address-table
unicast-flood
{limit kfps} {vlan vlan} {filter
timeout | alert | shutdown}
Enables unicast flood protection globally.
Step 2
Router# show mac-address-table unicast-flood
Displays unicast flood protection information.