Protecting Switch Ports from Unknown Layer 2 Traffic

When a frame with an unknown unicast or multicast MAC address arrives at a switch, it will flood the frame out all ports (minus the originating port), it does this to try and find the port that the destination device is located on, when it does find the port, it will add it to the CAM table, so it doesn’t have to repeat the process every time it wants to send a frame to that device.

In most environments you won’t want or need to change this behavior, but if you have servers that you need to protect from every avenue of attack, you will want to stop any unknown traffic from reaching these servers, that includes traffic from the discovery process of the switch.

We can accomplish this with the Cisco Catalyst switch feature called Port Blocking, what this features does is prevent frames for unknown destinations from being sent out the port that it is enabled. To configure port blocking for unknown unicast and multicast flooding to our highly-sensitive servers that are hanging off of port FastEthernet 0/24, use the following configuration.

CAT(config)#interface fastethernet 0/24
CAT(config-if)#switchport block multicast
CAT(config-if)#switchport block unicast
CAT(config-if)#exit
CAT#show interface fastethernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: static access
...
Protected: true
Unknown unicast blocked: enabled
Unknown multicast blocked: enabled

Unknown unicast and multicast traffic will not be sent out port FastEthernet 0/24, thus protecting our servers from unknown, potentially malicious traffic. Just one more layer of protection for these sensitive servers.

Enjoy!

No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>