Rule ID
SV-272033r1168251_rule
Version
V1R2
CCIs
Access layer switches use the Content Addressable Memory (CAM) table to direct traffic to specific interfaces based on the VLAN number and the destination MAC address of the frame. When a router has an Address Resolution Protocol (ARP) entry for a destination host and forwards it to the access layer switch and there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the frame will be sent to all forwarding interfaces within the respective VLAN, which causes flooding. Large amounts of flooded traffic can saturate low-bandwidth links, causing network performance issues or complete connectivity outage to the connected devices. Unknown unicast flooding has been a nagging problem in networks that have asymmetric routing and default timers. To mitigate the risk of a connectivity outage, the unknown unicast traffic must not be flooded to all access interfaces.
Verify each Bridge Domain used is configured to block unknown unicast traffic. 1. Navigate to Tenant >> Networking >> Bridge Domains >> Policy >> General and inspect each Tenant's Bridge Domain configuration. 2. Expand Networking and right-click each Bridge Domain. - Verify the L2 Unknown Unicast box is set to "Hardware Proxy". If any user-facing or untrusted access switch ports do not have UUFB set to "Hardware Proxy", this is a finding.
Configure each Bridge Domain to handle unknown unicast flood blocking. 1. Navigate to Tenant >> Networking >> Bridge Domains >> Policy >> General. 2. Expand Networking and right-click "Create Bridge Domain" to open the dialog box and fill out the form. - In the L2 Unknown Unicast box, select "Hardware Proxy". 3. Click "NEXT". 4. Complete the Bridge Domain configuration and click "Finish".