HOME

TheInfoList



OR:

In
computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
ing, a unicast flood is when a switch receives a unicast frame and treats it as a broadcast frame, flooding the frame to all other ports on the switch.


Background

The term ''
unicast Unicast is data transmission from a single sender (red) to a single receiver (green). Other devices on the network (yellow) do not participate in the communication. In computer networking, unicast is a one-to-one transmission from one point in ...
'' refers to a one-to-one transmission from one point in the network to another point. Conventionally, unicast is considered more secure because the frame is delivered solely to the intended recipient and not to multiple hosts. This diagram illustrates the unicast transmission of a frame from one network host to another: center, 200px When a switch receives a unicast frame with a destination address not in the switch’s
forwarding table A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface shou ...
, the frame is treated like a broadcast frame and sent to all hosts on a network: center, 200px


Causes

The learning process of
transparent bridging A network bridge is a computer networking device that creates a single, aggregate network from multiple communication networks or network segments. This function is called network bridging. Bridging is distinct from routing. Routing allows mu ...
requires that the switch receive a frame from a device before unicast frames can be forwarded to it. Before any such transmission is received, unicast flooding is used to assure transmissions reach their intended destination. This is normally a short-lived condition as receipt typically produces a response that completes the learning process. The process occurs when a device is initially connected to a network, or is purged from the
forwarding information base A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface shou ...
. An entry is purged when the device is moved from one port to another (causing the link status to change on the original port) or after a MAC table entry expires due to inactivity (5 minutes is the default on Cisco switches). A switch that has no room left in its address cache will flood the frame out to all ports. This is a common problem on networks with many hosts. Less common is the artificial flooding of address tables—this is termed
MAC flooding In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast floodin ...
. Another common cause are hosts with ARP timers longer than the address cache timeout on switches—the switch forgets which port connects to the host. The solution to prevent this is to have the switch configured with a MAC address timeout longer than the ARP timeout. For example, set the MAC timeout to 360 seconds and the ARP timeout to 300 seconds. Devices other than switches may create unicast floods as well. A router which has a bridge interface but does not have the destination frame's address in the bridge cache will flood the frame out to all bridge members. Misconfigured features of the networks may lead to unicast flooding as well. If there are two layer 2 paths from Host A to B and Host A uses path 1 to talk to Host B, but Host B uses path 2 to respond to Host A, then intermediate switches on path 1 will never learn the destination
MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...
of Host B and intermediate switches on path 2 will never learn the destination MAC address of Host A. A final cause of unicast floods are topology changes. When a link state changes on a network port which participates in
rapid spanning tree The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also al ...
, the address cache on that switch will be flushed causing all subsequent frames to be flooded out of all ports until the addresses are learned by the switch.


Remedies

Blocking unicast floods on a Cisco switch is easy to do, but it is not enabled by default. After ensuring that timeouts and/or security features have been configured to maintain table entries on client access ports longer than typical host ARP cache timeouts, this command is used to quiet down the unicast floods on those ports: Switch(config-if)# switchport block unicast Other techniques involve isolating hosts at Layer 2, which blocks intra-LAN communication not destined to specific nodes providing a shared service (e.g. a router). A handy tool for this ar
protected ports
(ports which are forbidden to communicate with other protected ports), available in lower end switches: Switch(config-if)# switchport protected A more robust, cross-switch solution than 'switchport protected' is the use of
Private VLAN Private or privates may refer to: Music * "In Private", by Dusty Springfield from the 1990 album ''Reputation'' * Private (band), a Denmark-based band * "Private" (Ryōko Hirosue song), from the 1999 album ''Private'', written and also recorded ...
s. To block flooding on a Linux machine modern enough to have
iproute2 iproute2 is a collection of userspace utilities for controlling and monitoring various aspects of networking in the Linux kernel, including routing, network interfaces, tunnels, traffic control, and network-related device drivers. iproute2 ...
installed, you can control the flooding in the devices bridge by running bridge link set dev phy6 flood off. To set a MAC timeout larger than the ARP timeout, these commands can be issued: brctl setageing br0 330; echo 300 > /proc/sys/net/ipv4/neigh/br0/gc_stale_time Most modern switches -- high and low end -- support flooding protection.l


Effects on Networks

When a network is experiencing unicast flooding, network performance is degraded. Here is a graph of a bridge before and after adjusting the size of the bridge address cache: center, 580px 80% of the frames were flooded out never to be received by the destination address, while 20% was valid traffic. In high volume networks, the flooded traffic may cause ports to saturate and lead to packet loss and high latency. Another side effect of exhausted address tables is the compromise of data. The security considerations are discussed in the
MAC flooding In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches. The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast floodin ...
—one of several causes of unicast floods. If an end user is running a
packet sniffer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...
, the flooded frames could be captured and viewed.


See also

*
Broadcast, unknown-unicast and multicast traffic Broadcast, unknown-unicast and multicast traffic (BUM traffic) is network traffic transmitted using one of three methods of sending data link layer network traffic to a destination of which the sender does not know the network address. This is a ...


References

{{Reflist Internet architecture