The unicast-suppression block outbound command configures an interface to block outgoing unknown unicast packets.
The undo unicast-suppression block outbound command cancels the configuration.
By default, an interface does not block outgoing unknown unicast packets.
Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, port group view
Usage Scenario
After an interface receives an unknown unicast packet, the interface broadcasts the packet to all users in the same VLAN. This may cause information leak. For example, if an unauthorized user is connected to an interface in a VLAN, the unauthorized user obtains a host's address from unknown unicast packets and uses the address to attack the host. To prevent information leak, use the unicast-suppression block outbound command to block unknown unicast packets on an interface if users connected to the interface do not need to receive broadcast packets. For example, if users on an interface seldom change and require high security, you can use this command on the interface.
Precautions
The unicast-suppression block outbound command is applicable only to interfaces where users do not need to receive unknown unicast packets. This command will affect network operations if it is used on an interface where users need to receive unknown packets.
Traffic suppression can be configured for incoming and outgoing packets on an interface, and the configurations are independent of each other. On an interface, use the unicast-suppression command to limit the rate of incoming unknown unicast packets and the unicast-suppression block outbound command to block outgoing unknown unicast packets.