For IP routed traffic, the Accelar routing switch is always effective in blocking traffic destined to an unknown MAC address and can generally block traffic sent from an unknown MAC address.
The routing switch can always block traffic destined to a MAC address for which there is:
| and |
When the routing switch needs to route a frame to an unknown MAC address, it will send an ARP request for the MAC address of the end station. If the MAC address that replies to the ARP request meets all of these three criteria (no static ARP entry, no entry in the allowed MAC table, and no static entry in the VLAN fdb), the router ignores the ARP reply and sends an ICMP unreachable message back to the originating device.
To block routed traffic from an unknown MAC address, the routing switch ignores ARP requests originating from unknown MAC addresses. In general, this procedure prevents the station from effectively sending routed traffic. Note that any return traffic will be effectively blocked given that the above condition is true.
Note:
If security is a primary concern, Nortel Networks recommends that Unknown MAC Discard be configured to administratively down the port on any routed VLANs when a MAC violation occurs.