Loader

Download the PDF 

Unknown Unicast Flood Blocking (UUFB)

Introduction 

Document Number 

ENG-010691

Purpose 

The purpose of this document is to explain the Unknown Unicast Flood Blocking (UUFB) feature of the Tellabs OLAN product.

Applies To 

All Tellabs OLTs and ONTs.

System Release

SR31.4.18, OLR Version SR31.4_605054. EMS-SR31.4.0.AJ and above.
 

What is UUFB

Unknown Unicast Flood Blocking (UUFB) is a standard feature on switches that allows the administrator to block all unknown unicast from being flooded. This is primarily a security feature and also protects the system from excessive flooding.

In a normal switch when a MAC has not yet been learned in the system, the switch will flood it to all ports except the receiving port much like a broadcast. This is expensive on switching resources and, in addition, allows an attacker to learn a lot about the adjacent ports. Additionally, many MAC spoofing exploits fill the MAC table with bogus macs to force legitimate traffic to flood so that it can be snooped and possibly set up a MiTM attack. Stopping the flooding of unknown unicast addresses these issues.

Please note that enabling UUFB will delay achieving connectivity with a device until that device emits at least one message addressed to its MAC as source, so that the MAC can be learned by the system.  This may also be problematic for some IOT and special purpose devices that do not often emit packets.  Enabling UUFB is a global setting and affects all VLANs.

Two mitigations to help address these are using a sticky MAC on the port to ensure the MAC stays statically applied to the port.  Note that sticky mac cannot be combined with 802.1x or MAB.  In addition, the bridge timer can be increased to help the MAC remain in the table for a longer time period before aging out.

Set UUFB in EMS

To set UUFB use the following procedure.

  1. Logon to EMS and left-click on the Network and select Properties on the dropdown list.


     
  2. Select the Bridging tab, input Aging Time (default 300), and check the Block Unknown Unicast Packets box.


     
  3. Click on the Apply button to block unknown unicast packets.
  4. If needed, you can also adjust the aging timer to deal with IOT or other devices that do not often send packets into the network to prevent them aging out of the system.

Configuring Sticky MAC

Information on configuring sticky mac can be found in Using ACLs.

Set UUFB in CLI

Logon to CLI to access the CLI command line.

The bridge commands are related to all bridge-related configurations. 

  • Command Path - ne bridge
  • Object bridge
  • Actions - 
    • Edit modify ethernet-bridge configuration 
      • block-unknown-unicast=block unknown unicast
        • true|false
      • bridge-AGE-time= - bridge age time
        • 0-300 seconds, (default 300)
    • Show Display detailed ethernet-bridge configuration
      • Verbose Display verbose ethernet-bridge configuration results
    • Status Display detailed ethernet-bridge status
      • Verbose Display verbose ethernet-bridge status results 

Edit

  1. From an ESUx> command line, input ne bridge edit block-unknown-unicast=true bridge-age-time=200, and press Enter. Output similar to the following is displayed:  
    ESUx> ne bridge edit block-unknown-unicast=true bridge-age-time=200 <enter>
Success
ESUx> _

Bridge Show

  1. From the ESUx> command line, input ne bridge show verbose, and press Enter. Output similar to the following is displayed:   
    ESUx> ne bridge show verbose <enter>
bridge-age-time: 200
block-unknown-unicast: 1
ESUx> _

Bridge Status

  1. From an ESUx> command line, input ne bridge status verbose, and press Enter. Output similar to the following is displayed: 

 



 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image