Hi

Thanks for making networking
easier to understand on this website.

I have a question about the MAC address learning on a switch, if a hub is connected to it. Say I have a hub(connected to Fa0/1 of switch) with two PCs, mac address table on the switch is empty. PC1 is trying to reach PC2, how does the switch learn mac address in this situation. Switch gets the ARP requests from PC1 on Fa0/1 and since there is no entry it forwards on all port except fa0/1

But here PC2 is also in Fa0/1? What happens here.why would switch forward the ARP on fa0/1 as it has come from fa0/1.

This question was asked in the lesson forum itself but The reply did not make any sense to me.

Thanks

Hello I hope you are doing well. Just to make sure I understand correctly you have two client PCs connected to a hub the hub is then connected to a switch.

First we must understand that a hub is a layer 1 device. If it receives data it flood that data out of every port.

Next we must understand how ARP works and how a switch learns mac addresses. Lets say PC 1 is trying to ping PC 2 but, PC 1 has an empty arp cache (assume the same for PC2 and the switch)

PC 1 will send a broadcast asking all clients what is the mac address associated with X ip address. The data will be forwarded out of all the ports hitting the switch and the PC. The switch checks the source mac address and assigns that interface to that mac address in the cam table. The switch forwards this data out all of its ports except the port the data came from. PC 2 goes through a similar process. PC 2 sees the ARP request and associates PC 1s mac to PC 1s ip address in the ARP cache. Then it replies to PC 1 with its mac address information and PC 1 assigns similar info in its ARP cache. Since these PCs are on a hub the arp reply is also sent to the switch. The switch then puts PC 2 information in the cam table and floods the data out of all ports except the one it had arrived on. Now the switch has two mac addresses in its cam table associated with one interface.

You are correct the switch will not forward data out of the interface it received it on, but this does not prevent the arp process from occurring on either PC because the ARP request and reply happen on the hub (yes the switch gets copies of the data and floods it but in this situation it has zero to do with the arp process)

I hope this helps you understand!
Scott

Hi scott

Thanks a lot for this wonderful explanation…it made sense and now i know how its all going through.
I have one other doubt if you can help me with…

For auto errror recovery in port security the cmd we use is
Errdisable recovery cause psecure-voilation
and
Errdiable recovery interval 300

But i just wanted to make sure that
Switchport port-security aging time 10
Has nothing to do with auto recovery.this is just to remove the learned mac address after 10 min(absolute).
Also do static and sticky mac addresses also get removed from mac table with aging command or just the dynamic learned???

Thanks

My port security skills are pretty weak if i have time to lab this tonight I will. Other wise ill lab it asap and get back to you.

Thanks,
Scott

@Sumantonnet I just attempted to do this in GNS3 on my laptop, but I am unable to do this until I get the GNS3 VM installed on my laptop. TBH my laptop probably won’t run the VM well, but my desktop will, I will have access to my desktop tomorrow and should be able to lab this up. Sorry it is taking me a second.

@Sumantonnet

I have been playing around with port security on my physical switches, and I am having some issues configuring the max address command but I will get past that.

However, I think I may have found an answer to your question. Based on the port security lesson on this site and a Cisco article I have found the two commands in question do the same thing.

"It might be easier if the interface could recover itself after a certain time:

Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#interface fa0/1
Switch(config-if)#switchport port-security aging time 10
You can change the aging time from 0 to whatever value you like with the switchport port-security aging time command. After 10 minutes it will automatically recover from err-disable state. Make sure you solve the problem though because otherwise it will just have another violation and end up in err-disable state again. Make sure you don’t forget to enable automatic recovery with the errdisable recovery cause psecure-violation command."

This indicated to me that the switchport port-security againg time 10 command recovers the port from being in the err-dsiabled state.

I also don’t believe that this command removes any mac addresses from the CAM table. From what I understand the way port security works is that mac addresses can be learned dynamically or statically depending on how the interface is configured, then once the limit of mac addresses is met or a mac address that has not been defined is seen on the interface the configured violation mode occurs. The new mac address that caused the issue is not even added to the table. So since the “bad macs” are never added they never need to be removed.

Also from what I am reading in the Cisco article below the command Errdiable recovery interval 300 is very similar to the Switchport port-security aging time 10 command.

Just to give you a little insight to the problem I am having (in case you can help me!) when I configure the command switchport port-security maximum 1 command I do not receive any errors but the command does not show in my running config. As a result, no mac addresses can be learned on that interface. I have tried this on two of my physical switches (2950 and 2960G 8 port)

all other port security commands will be found in the config for example:

int gi0/1
!
switchport mode access
!
switchport port-security
!
switchport port-security maximum 1
!
do sh run (switchport port-security maximum 1 is not in running config)
!
switchport port-security mac-address sticky 
!
do sh run 

(switchport port-security maximum 1 does not show in running config but switchport port-security mac-address sticky does)

when I run a debug port-security I get the following message when running the command

switchport port-security maximum 1
" PSECURE: psecure_addrs_fn: Max addresses per port = 8192"
it is almost like it ignores the value of my command, but it doesn’t add any maximum command to my running configuration.

@lagapides could you possibly help me understand why my command wont go into my configuration? Also, could you make sure I am not missing anything explaining port security to @Sumantonnet

Thanks All,
Scott

Hi scott

Thanks for your time for this explanation.i still have few doubts about port security.i am going to cdeate a new topic for that…have a found what was wrong with the running config???

I did not find out what was wrong with my running config yet. I only had time to do some book study yesterday. I hope to be able to do some lab study this week. I look forward to seeing your new topic.

@Sumantonnet I believe I figured out why the switchport port-security maximum 1 command was not being added to my running config. When you enable port-security the " switchport port-security maximum 1" is a default setting. So since a value was the same it did not need to change the running config. Just a little insight into my studies lol. I hope you are doing well.

Good on you scott…yea that makes sense…i have got reply from lazaros and somewhat made me more clear about port security…it would be really helpul if i could try aging commands in packet tracer to see what i am getting difficulty with…but packet tracer does not support aging commands…but anyhow i will figure something else…
Take care

Hello Scott

Yes, you have figured it out. Any commands that you enter that are the default behaviour of a switch will not appear in the configuration. For example, you may not see the speed and duplex commands in any of the interfaces by default, but they are there as speed auto and duplex auto.

This is the case for most commands using the IOS.

I hope this has been helpful!

Laz