To limit unknown unicast and multicast traffic on all ports in MikroTik, you can follow these steps:
1. Log in to your MikroTik router using Winbox or web interface.
2. Go to the “Bridge” menu and select “Ports”.
3. Select all ports by holding down the “Shift” key and clicking on each port.
4. Click on the “Edit” button to edit the selected ports.
5. In the “Port Settings” window, go to the “Advanced” tab.
6. Check the “Limit unknown unicast” and “Limit unknown multicast” options.
7. Set the appropriate limits for each option.
8. Click on “Apply” to save the changes.
By enabling these options and setting limits, you can prevent excessive unknown unicast and multicast traffic from flooding your network, which can improve overall network performance and security.
/interface ethernet switch port set [find] storm-rate=100 limit-broadcasts=yes limit-unknown-unicasts=yes limit-unknown-multicast=yes
then disable L3HW
/interface/ethernet/switch/port set [find] l3-hw-offloading=no /interface/ethernet/switch set 0 l3-hw-offloading=no /interface/ethernet/switch/l3hw-settings/set ipv6-hw=no
and
Re enable L3HW
/interface/ethernet/switch/port set [find] l3-hw-offloading=yes /interface/ethernet/switch set 0 l3-hw-offloading=yes /interface/ethernet/switch/l3hw-settings/set ipv6-hw=yes
Explanation
unknown-multicast-flood (yes | no; Default: yes)
When enabled, bridge floods unknown multicast traffic to all bridge egress ports. When disabled, drops unknown multicast traffic on egress ports. Multicast addresses that are in /interface bridge mdb are considered as learned multicasts and therefore will not be flooded to all ports. Without IGMP Snooping all multicast traffic will be dropped on egress ports. Has effect only on an egress port. This option does not limit traffic flood to the CPU. Note that local multicast addresses (224.0.0.0/24) are not flooded when unknown-multicast-flood is disabled, as a result some protocols that rely on local multicast addresses might not work properly, such protocols are RIPv2m OSPF, mDNS, VRRP and others. Some protocols do send a IGMP join request and therefore are compatible with IGMP Snooping, some OSPF implementations are compatible with RFC1584, RouterOS OSPF implementation is not compatible with IGMP Snooping. This property should only be used when igmp-snooping is set to yes.
unknown-unicast-flood (yes | no; Default: yes)
When enabled, bridge floods unknown unicast traffic to all bridge egress ports. When disabled, drops unknown unicast traffic on egress ports. If a MAC address is not learned in /interface bridge host, then the traffic is considered as unknown unicast traffic and will be flooded to all ports. MAC address is learnt as soon as a packet on a bridge port is received, then the source MAC address is added to the bridge host table. Since it is required for the bridge to receive at least one packet on the bridge port to learn the MAC address, it is recommended to use static bridge host entries to avoid packets being dropped until the MAC address has been learnt. Has effect only on an egress port. This option does not limit traffic flood to the CPU.
