This topic is to discuss the following lesson:
https://networklessons.com/switching/static-mac-address-table-entry/
Note: You can also put multicast MACs into CAM assuming IGMP snooping is disabled for that VLAN. Can be used to control where multicast is flooded (useful to control where link-local messages go, since IGMP snooping does not control these) or simply to drop it.
Isn’t configuring port-security another way to fulfill the same security measure?
Port-security lets us set a limit on the number of MAC addresses per interface or you could configure the interface so only 1 certain MAC address is allowed. Both are done on an interface level while this method is done globally on the switch.
Is there a way to view the drops from that mac address?
Hmm I don’t think you can see specific drops for a MAC address.
Hello Rene,
I have connected router (port gi0/0, MAC address:- 00e0.f901.c101) to switch (port fa0/1) directly.
I configured Switch with static mac-address (mac address-table static 00e0.f901.c101 vlan 1 int fa0/1) and then i have changed the interface on switch to fa0/2 but we are still learning statically binded MAC on fa0/2 port of switch dynamically.
Thanks in advance.
Regards
Jigar P. Shah
Hello Jigar.
I tried to replicate what you describe here on a Cisco 3560 production switch. I have device with a MAC address and I have statically assigned the MAC address to Gi0/4. I plug the device into interface Gi0/5 but the device has no connectivity. Looking at the MAC address table, I see that the switch has not learned the statically bound MAC address (to interface Gi0/4) on interface Gi0/5. Here is a sample of my output after implementing the static MAC allocation and changing the connection to port Gi 0/5 (the Xs and Ys were added by me for confidentiality):
3560_DC#show mac address-table | include 00XX.YYYY.b0bd
804 00XX.YYYY.b0bd STATIC Gi0/4
3560_DC#show mac address-table | include Gi0/5
3560_DC#
So the mac address is still statically bound to Gi0/4 and there are no new entries for MAC addresses on Gi0/5.
Can you check your configuration again and let us know the results? Please post the relevant portions of your configuration and your output as well so we can examine it.
I hope this has been helpful!
Laz
2 Likes
Hello Rene,
Could you please let me know how to get Switch Port#, Mac address and IP address in one command.
Like if I want to know the IP address and the MAC address for port Fa0/10 how to find that?
Thanks
Hello Wisam.
I don’t know of a way to do it in one command, but you can do the following:
Step 1: To determine the MAC address of the device connected to Fa0/10, use the following command:
Switch#show mac address-table | include fa0/10
This will give you a list of MAC addresses associated with that port. If you only have one device on this port, only one MAC address will show up.
Step 2: To determine the IP address associated with the MAC address you found, use the following command:
Switch#show arp | include XXXX.YYYY.ZZZZ
where XXXX.YYYY.ZZZZ is the MAC address that you found in the first step. Notice that Cisco formats MAC addresses in this way, so don’t use the AA:BB:CC:DD:EE:FF format.
Now if you have the IP address and you want to find the MAC address and the related interface, then just reorder the steps. Same goes if you just have the interface and you want to find the other two.
I hope this has been helpful!
Laz
Hi Rene,
This might be a dumb question. How switch in this example has IP configured as 192.168.12.2 in fa0/1. Switch does not know layer 3 address right? Can you pls clarify?
Hello Ananth.
If you notice the configuration, it is the VLAN1 SVI that has been configured with the 192.168.12.2 IP address and NOT interface fa0/1. The only way the switch knows a layer three address is on the SVI and NOT on the physical fa0/1 interface.
I hope this has been helpful.
Laz
hi,
just a short question, can static mac entries age out?
or do the aging settings just apply to a dynamic entries?
thanks
florian
Hi florian,
Static mac entries are not aged out or lost.
1 Like
Thanks Maher!
Hi Rene,
Just a very basic question. Lets say I have a L2 switch ( port fa0/1) connected to the router fa0/1. For communication to happen do I need to configure ip address in port fa0/1 or whether it is not needed?
- I have a topology like below
Ixia ----- fa0/1 switch A fa0/2 — fa0/1 switch B fa0/2— Ixia
In this case when I send a frame from ixia , what src ip , mac address , dest ip , dest address do I need to configure in Ixia . Do I need to configure specific address or can I configure any address
- I have a topology like below
Ixia ----- fa0/1 Router A fa0/2 — fa0/1 Router B fa0/2— Ixia
In this case when I send a packet from ixia , what src ip , mac address , dest ip , dest address do I need to configure in Ixia . Do I need to configure specific address or can I configure any address?
Regards,
Ananth
Hello Rene,
I have a question please If you can help me.
How can i check the port are healthy or not defective on a switch Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5
What command will show that ? is it show tech command ? if yes , which of them please.
Thank you
@Ananth On a LAN, we use Ethernet and each device has a built in MAC address. You don’t have to configure the MAC address yourself. Let’s say you have two computers connected to a switch. These computers will have a MAC address, it comes with their network cards.
These computers however don’t communicate directly with Ethernet, they use IP instead. You’ll have to configure an IP address on each computer and it has to be in the same subnet. When ComputerA wants to send something to ComputerB, it will create an IP packet with its own IP address as the source and the destination will be the IP address of ComputerB. This IP packet will then be embedded in an Ethernet frame and forwarded. The switch will switch it to ComputerB.
https://networklessons.com/cisco/ccna-routing-switching/introduction-to-the-osi-model/
If you use routers in between, it’s a different story. I have an example here:
https://networklessons.com/ip-routing/introduction-to-routers-and-routing/
@Sinan Best to check the interface status for this:
https://networklessons.com/switching/troubleshooting-interfaces/
Rene
Hello Rene,
I need your ADVICE please. I have a firewall none- cisco and i am changing the NAT to Cisco Router
In the Firewall NON-CISCO :-
Source NAT
Traffic selector: 10.10.0.38 → service HTTPS → to Internet IPv4
Source translation: External [1.1.1.1] (Address)
In the cisco router i will do the following
ip nat inside source tcp 10.10.0.38 443 1.1.1.1 443
============
In the Firewall NON-CISCO :-
Destination NAT
Traffic selector: Any → HTTPS → External [1.1.1.1] (Address)
Destination translation: 10.10.0.38
In the Router NAT i will do the following :-
ip nat inside source tcp 10.10.0.38 443 1.1.1.1 443
====================
So my question is :- It seems in the Firewall we have Source and destination nat but in the Router we can used only one command which will help to do both side in the same time. ?
Can we please help in this explanation ? I means can we do only Source or only Destination NAT in router , if yes , can you used my example above to show me the results.
Thank you
Hi @senan.alkaaby,
From your configuration it appears you would like to expose a service running on port 443 to the Internet.
Cisco IOS has an elegant way to do this using a construction called a static NAT. Traffic coming in from the Internet to your public IP will be forwarded to the local server you specify. Traffic from that local server to the Internet will have its source IP address changed as the traffic enters the Internet, so that responses find their way back.
There is a great example here of the type of Static NAT you could use.
You should find you can achieve what you need in a single line starting “ip nat inside source static …”
Kind regards,
Jon