How does a switch learn MAC Addresses

Hi Rene and staff,
there is a huge amount of information in the forum, so it is hard to be sure an answer to a question is not already in it; so i apologize if this is the case
i am reviewing the switch mecanism: perhaps it is basic but my CCNA is far away
Except for bad frames, I am very surprised that a switch do not drop UNICAST frames when the dest MAC is unknown: on the contrary it floods the frame on all other ports ( i cannot find the word drop in the web page)
I am talking only about UNICAST (flooding broadcast or all kinds of multicast frames is OK)

For unicast frames with ipv4, the sender has to build the frame using ARP, so there is only 3 cases:

  • the sender already knows the dest MAC: it can build and send the frame
  • the sender does not know the dest MAC; it sends an ARP request and gets a reply, so it can build and send the frame
  • the sender does not know the dest MAC; it sends an ARP request and does not get a reply, so it CANNOT build the frame; consequently it cannot send the frame and drops the frame (that is the sender, not the switch)

So first, in what context a SW would receive a UNICAST frame with an UNKNOWN dest MAC ?

  1. suppose that a legitimate sender (with an approved MAC source) has a malicious program in it and is not aware of it: that program builds and sends frames permanently with an unknown unicast dest MAC (= that will never be present on the LAN); so in this case, the SW will flood permanently these frames on the other ports ? Also i am sure you can put rate limits to solve this issue, the best way for the SW would be to drop the frame with unknown UNICAST dest MAC ? Could you clarify ?

Take the example below with a bridge


which segments the LAN in two parts
Suppose A sends an UNICAST frame to C that does not exist on the LAN: does the bridge flood the frame on the other segment or drop the frame ?
i am confused, could you clarify ?
Regards

Hello Dominique

It all has to do with timers. The default MAC address table timeout is 300 seconds or 5 minutes. If a host has an ARP table timeout that is larger than that, then you can have a situation where the destination MAC address is not in the MAC address table of the switch, but still exists in the ARP table of the host. So the host will send a frame with that destination MAC without sending an ARP packet. The switch will not have the MAC address in its table, and will flood the frame.

Another case where you will have unicast flooding is in the case of asymmetric routing, something that is further described in this lesson:

Additional causes of flooding can be found in this Cisco document:

Now how do you deal with this flooding? There are several things you can do.

  1. Make sure your network design is correct so that the situations in the above stated documentation and links are avoided.
  2. Use the switchport block unicast command on Cisco IOS switches. More about this can be found at this Cisco documentation.
  3. You can also use the switchport protected command, more about which you can read at this Cisco documentation.

The switch will continue to flood the frame unless one of the above configurations is implemented.

I hope this has been helpful!

Laz

Why the trunk port of SW1 learns about the hosts connected to SW2 but not learning the hosts connected to itself?

Hello Ananth

A switch will populate its MAC address table based on the source MAC address of incoming frames on a particular port. For this reason, Gi0/3 (regardless of whether it is configured as an access or trunk port) will have MAC table entries only for the MAC addresses of H3 and H4. This is because you will never see an incoming frame with a source MAC address of H1 or H2 on Gi0/3. Those MAC addresses are recorded as corresponding to Gi0/1 and Gi0/2, respectively, which will see incoming frames with those MAC addresses in the source field.

I hope this has been helpful!

Laz

I have one question here.
switch-mac-address-table

What if H1 send packet without source mac address(blank) and destination address as H2. In that case what switch will do?

Hello Rahul

A host cannot have a blank value for the source MAC address in the header of the Ethernet frame. The possible values for the 48 bit MAC address range (in hex) from 00:00:00:00:00:00 to FF:FF:FF:FF:FF:FF, so you can’t have a blank value.

The special case of 00:00:00:00:00:00 is used for localhost MAC address or it is used in ARP requests as the target hardware address whenever this is unknown, but in such cases, the field is ignored.

I hope this has been helpful!

Laz

Hello Laz,

thanks for responding earlier responses on my queries.

Pls confirm that do mac-learning-limit on port channel in Dell switches restricts dhcp behaviour of IPv6?

Is it so?

BR//
Nitin Arora

Hello Nitin

Hmm, I can’t respond with certainty about how Dell switches work, but I can make an educated guess based on how link aggregation, DHCP, and MAC address learning works in general.

MAC learning has to do with populating the MAC address table. This is achieved both with regular switchports as well as port-channel link aggregated ports. However, this has nothing to do with DHCP for either IPv4 or IPv6. DHCP is a whole different mechanism that doesn’t use MAC address tables of switches, but uses DHCP servers with scopes that correspond a MAC address with a Layer 3 address, either IPv4 or IPv6.

Can you clarify the question you are asking? What do you mean when you say DHCP behavior of IPv6?

I hope this has been helpful!

Laz

Hi Rene,
I got a question during my lab.
Topology: A printer was connected to the Gi1/0/24 and a pc was connected to the Gi1/0/2 ports of the same C29060S switch.
Problem:
Right after the equipment been setup, pc was able to reach the printer.
Then I left the equipment idle for 3 hours and then checked the MAC address-table of the switch again. I found printer was not on the list but the pc. I ping the printer with the command ping 192.168.0.102 -t and captured the transaction by Wireshark. ARP broadcast every 60 second could be observed. However the printer just didn’t responded to it. I doubt the cause may due to printer went to sleep. So I bypassed the switch to see what would happen. A few second later the printer woke and responded to the pc. That is to say the printer would be woken if arp broadcast could reach the printer.
So, I infer my switch went to hibernation and couldn’t be woken by broadcast.
If I don’t want the switch goes to hibernation, what can I do?

Best Regards,
Charles

Hello Charles

It is unlikely that the switch goes into hibernation mode. If there is a switch on the market that does that, it will definitely cause many problems for many users. I believe the problem is elsewhere.

When you say you bypassed the switch, what do you mean? Did you remove the switch from the path? In order to determine if the specific switch is at fault, you must recreate the same situation. Did you find that the MAC address of the printer was not in the switch’s MAC address table, and did you check the Wireshark captures once again? If that is the case, and the switch is indeed at fault, it is not because of hibernation. I believe that the switch is either defective or is not forwarding ARP broadcasts to the printer.

Are all of these cisco switches or other vendor switches? Can you give us some more info about the specific switch that seems to be causing this problem?

I hope this has been helpful!

Laz

Hi Laz,

Thank you very much for your reply.

Bypass means the printer and the PC were unplugged from the switch and then connected to each other directly.

Before the switch was bypassed, I found that the MAC address of the printer was not in the switch’s MAC address table. Then I ping the printer with the command ping 192.168.0.102 -t and captured the transaction with Wireshark. I found ARP broadcast every 60 seconds but the printer didn’t respond. Obviously, the switch didn’t forward the ARP broadcast to the printer.

It is unlikely that the switch is defective because have another 2 switches (WS-C3750V2-24TS and WS-C3550-24-EMI) all of them behave the same.

Best Regards,

Charles

Lazaros Agapides via NetworkLessons.com Community Forum <forum@networklessons.com> 于2023年1月3日周二 17:36写道:

Hello Charles

If you connect the printer directly to the network card of the PC, then the printer will never go to sleep. The network card will continue to send traffic to the printer, which will keep its network interface awake. It is impossible to recreate the same conditions you had with the switch in the arrangement without the switch, so you can’t make any definite conclusions.

If the switch didn’t forward the ARP broadcast to the printer, then you would see this problem with all of your hosts connected to this switch. From my understanding, this is not the case. Therefore, the problem is confined to the printer itself. To determine if the ARP broadcast is reaching the printer, I suggest you set up a SPAN to capture the traffic reaching the interface the printer is on. Once you determine if the ARP broadcasts are indeed reaching the printer or not, you can then go on to the next step of troubleshooting.

I suggest you look at this lesson to see how this is done. Let us know of your results so we can help you further in the troubleshooting process.

I hope this has been helpful!

Laz

「Lazaros Agapides via NetworkLessons.com Community Forum <forum@networklessons.com>」在 2023年1月6日 週五,16:35 寫道:

| lagapides Lazaros Agapides
January 6 |

  • | - |

Hello Charles

If you connect the printer directly to the network card of the PC, then the printer will never go to sleep. The network card will continue to send traffic to the printer, which will keep its network interface awake. It is impossible to recreate the same conditions you had with the switch in the arrangement without the switch, so you can’t make any definite conclusions.

charleswongcni:

Then I ping the printer with the command “ping 192.168.0.102 -t” and captured the transaction with Wireshark. I found ARP broadcast every 60 seconds but the printer didn’t respond. Obviously, the switch didn’t forward the ARP broadcast to the printer.

If the switch didn’t forward the ARP broadcast to the printer, then you would see this problem with all of your hosts connected to this switch. From my understanding, this is not the case. Therefore, the problem is confined to the printer itself. To determine if the ARP broadcast is reaching the printer, I suggest you set up a SPAN to capture the traffic reaching the interface the printer is on. Once you determine if the ARP broadcasts are indeed reaching the printer or not, you can then go on to the next step of troubleshooting.

I suggest you look at this lesson to see how this is done. Let us know of your results so we can help you further in the troubleshooting process.

NetworkLessons.com – 27 May 14

### Cisco IOS SPAN and RSPAN

This tutorial explains how to configure SPAN and RSPAN on Cisco Catalyst Switches.

Est. reading time: 5 minutes

I hope this has been helpful!

Laz

Thank Laz. I’ll study the span and look further into the situation.
Thanks a lot.

Charles

Hey Rene
Could you use the OSI model in explaining the process of 2 hosts in the same subnet pinging each other through a switch? Im asking because in order for 1 computer to send frames to another computer, you have to configure IP Addresses. But IP addresses are layer 3 = Packets and MAC addresses are Layer 2 = Frames. So how can it be a Frame if IP is involved? What does this look like visually? Is encapsulation taking place?
Thank you

Hello Pancratius

This is an excellent exercise to understand how the various layers of the OSI model interact (especially the lower layers), and how communication within a subnet differs from communication with other subnets.

I have created a NetworkLessons note that describes this process for communication between two hosts in the same subnet, and communication between two hosts in different subnets. Take a look and if you have any further questions, let us know!

I hope this has been helpful!

Laz

Thanks Laz. I just read through it. So it is safe to say that an Ethernet frame must contain the layer 2, layer 3, and layer 4 information. When you say frame, you arent always necessarily referring to the layer 2 information but the information from the other layers is encapsulated in that frame. Am I saying this correctly?

Hello Pancratius

For all communications between network hosts, it is necessary to go down the protocol stack (whether OSI or TCP/IP) which means you need to have the source and destination MACs, the source and destination IPs and the source and destination TCP/UDP ports in all headers of the respective PDUs (Protocol Data Units).

Now a note on terminology, the generic name for the entity at each layer of the stack is called a Protocol Data Unit or PDU. However, the specific names for each layer are:

  • Datalink layer: Ethernet frame
  • Network layer: IP packet
  • Transport layer: TCP segment or UDP datagram depending upon the protocol used.

When I refer to a frame, I am specifically referring to the entity on the Datalink layer, that is the Ethernet frame. In the notes I created, I used the names as described above. So when I refer to a frame, I’m only referring to the Ethernet frame. Does that make sense?

I hope this has been helpful!

Laz

Hi Rene,

I’ve been struggling to understand the MAC address table in the scenario below:

 Site1                                |                      Site2
 ----------------------------------------------------------------------------------
|FW1| -------  |SW1|-eth1/1 ------------eth1/1- |SW2| ------- |FW2|

The edge switches from Site 1 and Site 2 are connecting via a layer 2 connection with interface eth1/1. The interfaces are configured with trunk port that allows the same VLAN.

Each site has a firewall behind the switch. Interfaces on both firewall and switch are configured with trunk port and allowed all the VLANs.

When I look into mac table learn from the interface eth1/1 from the switch, SW1 for example, it actually shows the mac address of the FW2 instead of the mac address of the eth1/1 of SW2.

There is no misconfiguration in the VLANs and interfaces as the traffic properly running between the firewalls.

Would you be able to explain it? Thanks in advance.

Regards,
Siwen Xing

Hello Siwen

This is actually expected behavior. Remember that a switch will populate the MAC address table by looking at the source address of incoming frames. The frames received on Eth1/1 of SW1 are frames that were generated by FW2, and they have FW2’s MAC address in the source address field. When they pass through SW2, they are considered transient traffic and SW2 simply forwards those frames to SW1.

The only way that SW1 will also populate the MAC address table with the MAC address of SW2 will be if SW2 generates traffic itself (like a ping for example) and sends it via SW1. Does that make sense?

I hope this has been helpful!

Laz

Hello Rene/Laz,
What is the difference between broadcast traffic and unknown unicast traffic?

Thanks a lot.