Static MAC Address Table Entry

Hello Ananth.

If you notice the configuration, it is the VLAN1 SVI that has been configured with the 192.168.12.2 IP address and NOT interface fa0/1. The only way the switch knows a layer three address is on the SVI and NOT on the physical fa0/1 interface.

I hope this has been helpful.

Laz

hi,

just a short question, can static mac entries age out?
or do the aging settings just apply to a dynamic entries?

thanks

florian

Hi florian,

Static mac entries are not aged out or lost.

1 Like

Thanks Maher!

Hi Rene,

Just a very basic question. Lets say I have a L2 switch ( port fa0/1) connected to the router fa0/1. For communication to happen do I need to configure ip address in port fa0/1 or whether it is not needed?

  1. I have a topology like below

Ixia ----- fa0/1 switch A fa0/2 — fa0/1 switch B fa0/2— Ixia

In this case when I send a frame from ixia , what src ip , mac address , dest ip , dest address do I need to configure in Ixia . Do I need to configure specific address or can I configure any address

  1. I have a topology like below

Ixia ----- fa0/1 Router A fa0/2 — fa0/1 Router B fa0/2— Ixia

In this case when I send a packet from ixia , what src ip , mac address , dest ip , dest address do I need to configure in Ixia . Do I need to configure specific address or can I configure any address?

Regards,
Ananth

Hello Rene,

I have a question please If you can help me.

How can i check the port are healthy or not defective on a switch Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE5

What command will show that ? is it show tech command ? if yes , which of them please.

Thank you

@Ananth On a LAN, we use Ethernet and each device has a built in MAC address. You don’t have to configure the MAC address yourself. Let’s say you have two computers connected to a switch. These computers will have a MAC address, it comes with their network cards.

These computers however don’t communicate directly with Ethernet, they use IP instead. You’ll have to configure an IP address on each computer and it has to be in the same subnet. When ComputerA wants to send something to ComputerB, it will create an IP packet with its own IP address as the source and the destination will be the IP address of ComputerB. This IP packet will then be embedded in an Ethernet frame and forwarded. The switch will switch it to ComputerB.

If you use routers in between, it’s a different story. I have an example here:

@Sinan Best to check the interface status for this:

Rene

Hello Rene,

I need your ADVICE please. I have a firewall none- cisco and i am changing the NAT to Cisco Router

In the Firewall NON-CISCO :-

Source NAT	
Traffic selector:		10.10.0.38	→		service HTTPS	→		to Internet IPv4
Source translation:		External [1.1.1.1] (Address)

In the cisco router i will do the following

ip nat inside source tcp 10.10.0.38 443 1.1.1.1 443

============
In the Firewall NON-CISCO :-

Destination NAT
Traffic selector:		Any	→		HTTPS	→		External [1.1.1.1] (Address)
Destination translation:		10.10.0.38

In the Router NAT i will do the following :-

ip nat inside source tcp 10.10.0.38 443 1.1.1.1 443

====================

So my question is :- It seems in the Firewall we have Source and destination nat but in the Router we can used only one command which will help to do both side in the same time. ?

Can we please help in this explanation ? I means can we do only Source or only Destination NAT in router , if yes , can you used my example above to show me the results.

Thank you

Hi @senansat,

From your configuration it appears you would like to expose a service running on port 443 to the Internet.

Cisco IOS has an elegant way to do this using a construction called a static NAT. Traffic coming in from the Internet to your public IP will be forwarded to the local server you specify. Traffic from that local server to the Internet will have its source IP address changed as the traffic enters the Internet, so that responses find their way back.

There is a great example here of the type of Static NAT you could use.

You should find you can achieve what you need in a single line starting “ip nat inside source static …”

Kind regards,
Jon

Hello Laz,
I have a question and I like to use the below picture for this question.

**show mac address-table**
Vlan
-----    Mac Address
100    aaaa.aaaa.aaaa    STATIC      Gi3/0/35 

SWITCH#**show inter gigabitEthernet 3/0/35**
GigabitEthernet3/0/35 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is bbbb.bbbb.bbbb (bia bbbb.bbbb.bbbb)

Let’s say I have a computer X connected to gig 3/0/35 port in a switch and the Mac address of the computer X is aaaa.aaaa.aaaa. Running show mac address-table and show inter gigabitEthernet 3/0/35 giving the above output. When computer A is disconnected from the port and a different computer Y (dddd.dddd.dddd mac address) is connected to the same port, I get the below output.

**show mac address-table**
Vlan
-----    Mac Address
100    dddd.dddd.dddd     STATIC      Gi3/0/35 

**SWITCH#show inter gigabitEthernet 3/0/35**
GigabitEthernet3/0/35 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is bbbb.bbbb.bbbb (bia bbbb.bbbb.bbbb) 

I have two questions here.

  1. why is the mac address not changing under sho inter gig 3/0/35? Why is it still bbbb.bbbb.bbbb all the time? What is this Mac address? Where is it coming from?
    When I am looking at other ports, they all are showing up like below:

     **SWITCH#****show inter gigabitEthernet 3/0/36**
     GigabitEthernet3/0/35 is up, line protocol is up (connected) 
       Hardware is Gigabit Ethernet, address is bbbb.bbbb.bbbc (bia bbbb.bbbb.bbbc) 
    
     **SWITCH#****show inter gigabitEthernet 3/0/37**
     GigabitEthernet3/0/35 is up, line protocol is up (connected) 
       Hardware is Gigabit Ethernet, address is bbbb.bbbb.bbbd (bia bbbb.bbbb.bbbd) 
    
     **SWITCH#****show inter gigabitEthernet 3/0/38**
     GigabitEthernet3/0/35 is up, line protocol is up (connected) 
       Hardware is Gigabit Ethernet, address is bbbb.bbbb.bbbe (bia bbbb.bbbb.bbbe) 
    

I did not share all the actual Mac addresses here. However, all the mac addresses were the same except for the last digit like in the picture above.
2) In the show mac address-table output, this mac address should show up as a dynamic mac address as far as my understanding goes. Why is it showing up as static mac address?

Thank you so much.

Azm

Hello Azm

The MAC address you see in the output of the show interface command is the MAC address of the switch’s physical port. Conversely the MAC addresses that populate the MAC Address Table are those of the devices connected to the switch. Cisco switches are designed to have a separate MAC address for each individual port. For example, on a 3650 production switch I have, I have the following MAC address that shows up on the show version output (I’ve changed it slightly for security reasons):

Base Ethernet MAC Address : 84:b2:61:aa:3d:00

This is called the base Ethernet MAC address. This is what is used for the bridge ID when STP functions as well as the MAC address announced in BPDUs. This switch has 48 Gigabit Ethernet Ports and four Uplink Gigabit Ethernet Ports. Specifically, their MAC addresses are:

GigabitEthernet 1/0/1:  84:b2:61:aa:3d:00
GigabitEthernet 1/0/2:  84:b2:61:aa:3d:01
GigabitEthernet 1/0/3:  84:b2:61:aa:3d:02
....                    ....
GigabitEthernet 1/0/48:  84:b2:61:aa:3d:30

(Remember MAC addresses are in Hexadecimal that’s why we end at 30 for the last two digits of the MAC address) The four uplink interfaces MAC addresses are as follows:

GigabitEthernet 1/1/1:  84:b2:61:aa:3d:31
GigabitEthernet 1/1/2:  84:b2:61:aa:3d:32
GigabitEthernet 1/1/3:  84:b2:61:aa:3d:33
GigabitEthernet 1/1/4:  84:b2:61:aa:3d:34

Notice how each interface has a MAC address equal to the Base MAC address plus the sequential number of the interface. It is also interesting to note that this switch has a management interface labelled GigabitEthernet 0/0 as well and this interface has the SAME MAC address as the base MAC address.

This is the way that Cisco has decided to manufacture its switches. Other manufacturers choose to keep the same MAC address on all interfaces. This can be made to work for both layer 2 and layer 3 switches, however, in my opinion, a distinct MAC address per interfaces is a much cleaner implementation.

Yes you are correct that the show mac address-table command should show a DYNAMIC MAC address and not STATIC one. STATIC will show up if you have configured a static entry in the MAC address table OR if you have configured a MAC address on the port using port security. Also check to see if the port security is configured with sticky MAC addresses. I haven’t been able to test to see if sticky MAC addresses show up as a STATIC MAC Address table entry or dynamic, but you can test it out.

I hope this has been helpful for you!

Laz

1 Like

Hello Laz,
This is really helpful. No, sticky is not configured. Static mac address is not configured either. However, DHCP Snooping is configured in the switch, but I am not quite sure if DHCP snooping would be the reason for static status. AS a matter of fact, every time I connect a new device to the switch, the mac address of the device shows up in the mac address table as STATIC. Thank you so much.

Azm

Hello Azm

Hmm that’s interesting. DHCP snooping should not be the culprit. According to Cisco:

The DHCP snooping binding table can contain both dynamic and static MAC address to IP address bindings.

Do you find the same behaviour on all ports on this switch? If it’s not a production switch, you can try to erase the startup config, get everything to default configuration and check it out again. It would be interesting to see the results.

I hope this has been helpful!

Laz

Hello Laz,
Yes, there is no dynamic mac address in the entire mac address table. Unfortunately, this switch is in production and therefore, no experiment is allowed on this switch :grin:.

Thank you so much.

Azm

Hello Azm

That’s too bad. Doing a bit more research, is there any port security configuration on any of the ports where the static addresses are showing up? If so, try to temporarily remove any port security configs and bounce the interface and see what happens. Also, can you share the IOS version you are using? It would be worth checking out the possibility of a bug.

Let us know!

Laz

So the switch used in this lesson (SW1). This layer 2 switch has its own MAC address - 001d.a18b.36d0 ? This MAC address represents all aspects of the switch (all its interfaces – and any VLANS I create) ? ? ?

Hello Jason

The MAC addresses on a switch will differ depending on the platform you use. Some Cisco switches such as the 3560 series will have a primary MAC address, also known as the “master” MAC address. This is the one used for spanning tree and other mechanisms that require a MAC address. Now if you do a “show interface” for various ports of the switch, you will see that each port has its own unique MAC address and they are all sequential to each other. This is used as the destination MAC for traffic that is destined to that port itself. Examples of such traffic include CDP, or STP BPDUs. Now on such platforms, you have a series of reserved MAC addresses that are used for SVIs. These are dynamically assigned as SVIs are created.

Other platforms such as the 6500 series will have the same MAC address configured on all switch ports as well as the master MAC address and SVI MACs.

I hope this has been helpful!

Laz

what are the few scenarios where we need to use static mac addresses?

Hello Vinay

Static MAC addresses can be implemented for several reasons. The first involves MAC addresses that are assigned for the CPU, which can be seen below:
image
These are used for traffic that is destined for the switch itself as opposed to transient traffic.

Secondly, static MAC addresses can be assigned as multicast addresses. Mutlicast MAC addresses can be assigned to more than one interface.

Finally static MAC address can be manually assigned in order to apply a rudimentary security, allowing specific devices to only use a single port on the switch. Although not as secure as port security, it verifies that specific devices will only be connected to a single port.

I hope this has been helpful!

Laz

thank you, Laz. It makes sense.

1 Like