Flood Blocking - Cisco Catalyst 4500 Series Configuration Manual

Security Features

Flood Blocking

Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis.
Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port
because a MAC address has timed out or has not been learned by the switch.
For information on flood blocking, see
Hardware-Based Control Plane Policing
Control Plane Policing provides a unified solution to limit the rate of CPU bound control plane traffic in
hardware. It enables users to install system wide control plane ACLs to protect the CPU by limiting rates
or filtering out malicious DoS attacks. Control plane policing ensures the network stability, availability
and packet forwarding, and prevents network outages such as loss of protocol updates despite an attack
or heavy load on the switch. Hardware-based control plane policing is available for all
Catalyst 4500 supervisor engines. It supports various Layer 2 and Layer 3 control protocols, such as
CDP, EAPOL, STP, DTP, VTP, ICMP, CGMP, IGMP, DHCP, RIPv2, OSPF, PIM, TELNET, SNMP,
HTTP, and packets destined to 224.0.0.* multicast link local addresses. Predefined system policies or
user-configurable policies can be applied to those control protocols.
Through Layer 2 Control Packet QoS, you can police control packets arriving on a physical port or
VLAN; it enables you to apply QoS on Layer 2 control packets
For information on control plane policing and Layer 2 control packet QoS, see
Control Plane Policing and Layer 2 Control Packet QoS."
IP Source Guard
Similar to DHCP snooping, this feature is enabled on an untrusted Layer 2 port that is configured for
DHCP snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are
captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP
server, a PVACL is installed on the port, which restricts the client IP traffic only to clients with assigned
IP addresses, so any IP traffic with source IP addresses other than those assigned by the DHCP server
will be filtered out. This filtering prevents a malicious host from attacking a network by hijacking
neighbor host's IP address.
For information on configuring IP Source Guard, see
Source Guard, and IPSG for Static Hosts."
IP Source Guard for Static Hosts
This feature allows you to secure the IP address learned from static hosts by using ARP packets and then
bind that IP address to a given MAC address using the device tracking database, allowing entries to
survive through link down events.
IP Source Guard (IPSG) for static hosts allows multiple bindings per-port per-MAC address for both
DHCP and static hosts, in both device tracking database and DHCP snooping binding database. The
feature allows you to take action when a limit is exceeded.
For information on configuring IPSG for static hosts, see
Source Guard, and IPSG for Static Hosts."
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
1-34
Chapter 53, "Port Unicast and Multicast Flood Blocking."
Chapter 50, "Configuring DHCP Snooping, IP
Chapter 50, "Configuring DHCP Snooping, IP
Chapter 1 Product Overview
Chapter 48, "Configuring
OL-25340-01