Category Archives: Information Technology

Excessive Unknown Unicast Frames

Unknown Unicast frames are simply frames with a destanation MAC Address not listed in the switches table.

The first step is to determine what this traffic actually is (typically with a packet capture):

Is this malicious traffic?
Is this legitimate traffic?

Malicious Traffic:
Can we stop the traffic from happening altogether via patching or software updates?
If not our best bet is probably an ACL or firewall rule as close to the source as we can get.

Legitimate Traffic:
Solution varies greatly, depending on what the traffic is and why it’s unknown.

Is the destination unknown simply because the destination never transmits or broadcasts?
If so a static MAC Address entry might be warranted.

Is the destination unknown because that’s the way the protocol works such as Microsoft Network Load Balancing?
If so the best bet is to segregate that traffic via hardware or vlans.
If segregating the traffic isn’t an option, then one solution would be to block this traffic from exiting unwanted traffic via an ACL.

This is also assuming the layer 2 network is working as expected. There are other unlikely reasons the switch may not have an address in its table such as being flooded with Topology Change Notifications or even software/hardware. But again in terms of probability those are very low.