The MAC address table is where the switch stores information about the other Ethernet interfaces to which it is connected on a network. The table enables the switch to send outgoing data (Ethernet frames) on the specific port required to reach its destination, instead of broadcasting the data on all ports (flooding).
The MAC address table can contain two types of entries:
- Static: Static entries are manually added to the table by a switch administrator. Static entries have higher priority than dynamic entries. Static entries remain active until they are removed by the switch administrator.
- Dynamic: Dynamic entries are automatically added to the table through a process called MAC learning, in which the switch retrieves the source MAC address (and VLAN ID, if present) of each Ethernet frame received on a port. If the retrieved address does not exist in the table, it is added. Dynamic entries remain in the table for a predetermined amount of time (defined with the command mac-address-table age-time), after which they are automatically deleted.
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames, which can invite security hazards. When Host A is connected to port A, a MAC address entry will be learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames with MAC A as the source MAC address to port B, the device performs the following operations:
- Learns a new MAC address entry with port B as the outgoing interface and overwrites the old entry for MAC A.
- Forwards frames destined for MAC A out of port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined for Host A.
For example, in the following topology, switch A learns the MAC addresses of ports on switch B, C, and D. This way, traffic between any two switches is not broadcast to the other switches. For example, if server 1 sends traffic to server 3, it does not get broadcast onto the link to switch C, only on the link to switch D.
I have seen this a few times, where manufacturers are lazy and store MAC addresses in CMOS or similar, and fall back to a common default. It would also be easy to arrange if using locally assigned addresses (e.g. when provisioning VMs)
I've not tested what individual OSs do. If your only problem is ARP, then static ARP entries might work for you.
Some old DEC systems used to send loopback packets to their own address, as a duplicate address check. I believe some Cisco switches do the same for loop detection. Either way, it's a special case of destination MAC filtering. If the address wasn't in the cache, I wouldn't be sure that first packet would be dropped immediately: it might be added to the forwarding tables and forwarded. Otherwise, silently drop.
The MAC address would flap; if you are running a stateless protocol at the higher levels, you may end up with something like a crude unicast load balancer. For something like TCP, you'll get a lot of RST's as well as packet loss. And as others have said, to an 'enterprise' switch it looks like MAC spoofing and some may log/trap on this event.
Synchronizing MAC address tables across switches doesn't make any sense. Each switch maintains its own MAC address table.
For instance, suppose you have Switch 1 and Switch 2 connected together of their ports 24, and MAC address 0123.4567.89ab comes into Switch 1 port 5. On switch 1, the MAC address table would reflect that MAC address 0123.4567.89ab is connected to port 5. If any frames from the host with that MAC address find their way to Switch 2, the MAC address table of Switch 2 will have MAC address 0123.4567.89ab coming into port 24. If no frames from MAC address 0123.4567.89ab get sent to Switch 2, then Switch 2 will not have 0123.4567.89ab in its MAC address table.
If you synchronize MAC address table across those two switches, then how would you propose to resolve the port conflict where 0123.4567.89ab is on port 5 of one switch, but it is on port 24 of the other switch?
The closest thing you could have is with switch stacks, where multiple switches are connected in a stack, and the stack looks like a single switch. You configure the stack, not the individual switches, and things like STP and MAC address tables are done as if the stack was a single switch.
I've become ultra confused all of a sudden.
Switch is a layer 2 device. So this means it deals with frames (builds and examines them). So when it receives a frame, it looks inside to see where the destination mac address is. But since the mac address is on some further away network, and not directly connected to the switch, how in the world can it decide which way to send it? The switch doesn't have a routing table so theres no way of determining. So it either sends it down a trunk link or out all the vlans associated with the source port. Now if its sending the frame out all the vlan ports then this certainly does not break up broadcast or collision domains. Switches have no idea of the topology of a network and therefor must be sending frames out every possible hole they can to get rid of it.
But this would end up being huge problems. If I have a router on a stick topology, with trunk link. And a frame gets sent out all possible ports and a trunk link, the packet is going to get to the source, then after being routed through the router and come back it will be sent to the source again. Also isn't it making a storm if the router routes the packet back to the switch and the switch then sends the same packet down the trunk link, since everything gets sent to the trunk by default?
Or not even with a trunk link. Just linked up to any router. If the mac address isn't directly connected to the switch it must send the packet out every port it can because it doesn't have any idea what else to do with. And if it sends it to the router, and the router says, no it has to go back towards you, wouldn't the packet just go in circles for years with the router saying, "its in your direction", and the switching saying "i don't know where this is supposed to go, so i'll send it anywhere i can"
thanks for any help at all. really frustrated.
- All forum topics
- Previous Topic
- Next Topic
7 Replies 7
Hi There
This is my understanding.
Topology: See Attached diagram
Host A wishes to communicate with Host B, which is on a different subnet. Say user on Host A typed ftp 192.22.0.2.
The TCP/IP stack on Host A will see that this host is on a different subnet, so Host A will check if a default route is configured. If no default router is configured, the FTP session will show a "host not found" type of message. If a default router is configured, Host A will send out an ARP request, seeking the MAC address on the default router.
The switch, when it receives this ARP broadcast, will note the MAC address which sent the broadcast and the port it arrived on and will enter this information into it's CAM table. The switch will then check its CAM table to see if it has an entry for the destination MAC address. If the switch has an entry for the default router it will pass the unicast the ARP request to the router. If the switch does not already have an entry for the router in its CAM table, the switch will broadcast this ARP out all ports in the same VLAN as Host A, except the port the request was received on.
The default router will respond to the ARP request and the switch will create the entry in the CAM table, noting the routers MAC address and the port to which it is attached.
The ARP response from the Router will be unicast back out the port Host A is attached to.
From this point on, traffic from Host A to Host B will leave Host A with the source IP and MAC of Host A, the destination IP address of Host B BUT the destination MAC address of the default router.
The switch will SWITCH the frames between the port the frames were received on (where Host A is connected) to the port where the Router is attached.
The Router will route the packet towards Host B by sending the packet down the trunked link towards the switch. The Packet will now have the source IP address of Host A, the source MAC address of the routers exit interface and the destination IP and MAC address of Host B.
When the switch receives this packet, it will check its CAM table to see if it has an entry for the MAC Address from which the packet came and the port on which it arrived. If it does not it will create the entry.
The switch will then check its CAM table again to see if it has an entry for the destination MAC address. If it does it will SWITCH the frame to the appropriate interface. If no entry exists, it will flood the first packet out of all ports in the VLAN to which the frame belongs, except the port the frame arrived on. Host B will respond to this broadcast and the switch will enter the MAC address of Host B and the port to which it is attached into its CAM table.
From this point on, all traffic destined for Host B will be switches to the port to which Host B is attached.
Traffic from Host B destined for Host A will leave Host B with the Source IP and MAC address of Host B, the Destination IP address of Host A BUT the destination MAC address of Host B's default router.
I hope that helps and does not cause more confusion for you.
Best Regards,
Michael
A switch operating at it's most basic level, is exactly identical to a bridge.
As switches evolved, other switch-only features developed; things like VLANs and Etherchannel (and their associated protocols for management).
Spanning tree (used for L2 loop prevention) came over untouched from the bridging world (though it did evolve as well to accommodate VLANs, for example).
When a frame arrives at a port, the switch notes the source MAC and adds it to a table of MAC<->Port mappings (which port did I see this MAC?).
If the destination MAC is not in the table, the switch floods the original frame out all ports , except the one the frame was received on.
Note: Flooding is NOT broadcasting. Broadcast frames have all ones in the destination MAC, all hosts would have to process the frame to some degree. A flooded frame has the original destination MAC and only the host with that MAC would respond.
If the (previously unheard) destination host responds, the switch notes its Source MAC and adds it to the MAC <-> Host table for future reference.
Again, at basic level, a switch is exactly the same as a bridge. When you add other features (VLANs, Etherchannel) some accommodation must be made, either to the frame (VLANS) or the other participating switches (Etherchannel).
The following link covers most of the basics for all of the protocols and technologies very well. It's Cisco's Internetworking Guide (electronic version). The printed versions is a large, expensive book, the online version is free.
Check it out: //www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm
BTW: The other poster mentioned ARP. ARP is a layer three protocol for discovering and mapping and IP address to MAC as part of the IP suite. Basic (Layer 2) switches wouldn't know ARP.
Layer Three switches (which are essentially fast routers) would use ARP the same way as a router would.
Routers and Layer three switches would accomplish their Layer Two business exactly the same way a bridge would ... the mechanisms, within their contexts, always behave the same way ... L2 stuff is always L2 stuff, L3 stuff is always L3 stuff.
Check out the Internetworking Guide, it should answer a lot of your questions.
Good Luck,
Scott
Hi all
****** Corrections to my previous post******
First as Scott rightly points out, in my previous post I used the term "Broadcast" where I should have used the term "Flood".
In my previous post I wrote
"If the switch does not already have an entry for the router in its CAM table, the switch will BROADCAST this ARP out all ports in the same VLAN as Host A, except the port the request was received on. "
When I should have written
"If the switch does not already have an entry for the router in its CAM table, the switch will FLOOD this ARP out all ports in the same VLAN as Host A, except the port the request was received on."
Secondly
In my previous post I used the term "unicast" when I should have used the term "Switched".
In my previous post I wrote
"The ARP response from the Router will be UNICAST back out the port Host A is attached to. "
When I should have written
"The ARP response from the Router will be SWITCHED back out the port Host A is attached to. "
Finally, Scott wrote that I mentioned ARP and as this is a layer 3 protocol for discovering and mapping IP addresses to MAC addresses, a basic layer 2 switch would not know ARP.
I mentioned that Host A would initially send an ARP request for the MAC address of the default router. I don't believe I mentioned that the Switch would send an ARP and even after reading my initial post again I can not see how this is implied. However I apologise if from reading my initial post, I conveyed that a switch would initiate an ARP request, as this, as Scott rightly points out would not be possible on a switch operating at layer 2.
Best Regards,
Michael
ARP -is- a broadcast protocol.
It would be carried in a broadcast frame. The L2 switch -would- broadcast an ARP because the destination would be all ones.
I just skimmed your post (sorry) and didn't realize you were speaking of so much activity external to the switch.
Most of what you corrected was right in your initial post ("ARP response is unicast", etc), because I didn't read the post thoroughly I thought you were putting those functions into the L2 switch.
For the OP ... VLANs operate as if all the different VLANs are logically separate segments. The sending host wouldn't send to a MAC address it doesn't know ... ARP (in the case of IP) would get the MAC if it's local, or if the L3 / IP address was "off net" then ARP is going to get the Default Gateway address and let the routing table of the default router figure out where to send it.
Until the packet (not frame) reaches an L3 device that is directly connected to the destination host's segment, then ARP happens, gets the MAC, encapsulates the frame with that MAC as a destination (the router's egress interface's MAC is the Source MAC), and puts the bits to the wire.
Apologies to both OP and Michael,
I'll make an effort to read a little better ....;-}
Good Luck
Scott
Hmm. Am I safe to say that when a frame arrives at a switch, the destination mac addresss is the switch it just arrived at? Or is the destination mac address the mac address of the final host it is trying to get to?
If the topology is: Host A -> Switch2 -> Switch2 -> Switch3 -> Host B
and when host A tries to ping host B, the packet should arrive at switch2, switch2 won't have the "destination mac address?" in its table and so it floods the frame. My main question is how or why would Switch2 know its supposed to respond to that frame since it doesn't have hostB's mac address in its table it should ignore that packet? or does it accept all frames and then flood all frames that it doesnt know where they are headed?
0y this is more confusing now. i'll read that link to hopefully clear this up. thanks guys
Hi There
In your topology example "Host A -> Switch2 -> Switch2 -> Switch3 -> Host B", for Host A to have any chance of communicating with Host B, they would have to be in the same VLAN/Subnet, as you have no layer 3 device to route between different VLAN's/Subnets.
Therefore when Host A wants to send a frame to Host B it would check its own MAC address table to see if it has an entry for Host B. If it does, it will send the packet with the frame towards Host B. The source MAC addresses will be that of Host A and the destination MAC addresses will be that of Host B.
If Host A does not have the MAC address of Host B it will send an ARP request out on to the wire to Sw1.
Either way, as this is a single VLAN/Subnet, the way Sw1 and the other switches treat the frame will be exactly the same.
Sw1 will receive the frame and check the source MAC address against its CAM table. If no entry exists, it will add the MAC of Host A plus the port to which Host A is connected to its CAM table. If an entry does exist, it will then examine the destination MAC address to see if it has an entry for it. If it has an entry it will forward (switch) the frame out through the interface through which Host B can be reached (This would be the uplink port to Sw2 in this case). If no entry exists, it will flood the frame out of all ports which are in the same VLAN as Host A, except the port the frame arrived on.
SW2 will receive this frame and it will check its own CAM table. If it no entry exists for Host A's MAC address, an entry will be added. If an entry does exist, switch be will then check the destination MAC address.
If it has an entry for Host B, it will forward (switch) the frame out of the port through which Host B can be reached. If no entry exists, it will flood the frame out of all ports which are assigned to the same VLAN as Host A. Sw3 will receive this frame.
It will check its CAM table to see if it has an Entry for Host A. If not it will add one. If it has it will check the CAM table for an entry for the MAC address of Host B. If it has one, it will forward (switch) the frame out the port through which Host B can be reached. If no entry is found then Sw2 will Flood the Frame out of all ports which are assigned to the same VLAN as Host A.
Once Host B responds to the initial frame,
Host A will have the MAC of Host B
Sw1 will know that to get to Host B it sends frames out through the port through which it connects to SW2. To get to Host A it sends the frames out through the port to which Host A is connected.
Sw2 will know that to get to Host A it sends frames out through the port to which it connects to SW1. To get to Host B, it sends frames out through the port through which it connects to SW3.
SW3 will know that to get to Host A, it sends frames out through the port through which it connects to SW2. To get to Host B it sends frames out through the port to which Host B is connected.
At all times in this scenario, when Host A sends traffic to Host B, the Frame will have the source MAC of Host A and the destination MAC of Host B. Like wise when Host B sends data to Host A, the frames will have the source MAC of Host B and the destination MAC of Host A.
What you want to understand is how a switch builds its MAC address (CAM) table.
It checks the source MAC first, If an entry exists, then it checks the destination MAC. If no entry exists, then the switch creates and entry and then checks the destination MAC address. If an entry exists the frame will be switched to the relevant port. If no entry exists, then the frame is flooded out of all ports (in the same VLAN as the frame of the originating host) except the port the frame arrived on.
Best Regards,
Michael
Hi Scott
Thanks for getting back. However I believe I did use incorrect (or at least inconsistent) phrasing in my original post, interchanging flooding with broadcasting and switching with unicast.
If I am going to attempt to explain something to somebody, I should at least make sure I have used the correct terminology and also been consistent in its use.
Excellent link by the way.
Best Regards,
Michael
Customers Also Viewed These Support Documents