how switch learn mac address

Answered Question
Apr 5th, 2008
User Badges:
  • Bronze, 100 points or more

hi every body!

I was reading ccna guide by cisco press about mac address learning, this is what i have found:"when host connecting to a switch, send a frame, switch look at the source mac address and port it came into and record them in mac address table"

that means if host does not send any packet, there should not be any entry for the host's mac address in mac address table right?

I connected desktop to cisco 1900 cat switch.When i use the command "show mac-address-table, i find desktop mac address in switch mac address table.

The question is why as desktop is the only host connected to switch , it cant send any frame to any other host as there is none.How did switch learn the mac address?

To me it appears as switch learn mac addresses of directly connected hosts even they dont send any frame.

I would greatly appreciate any help.

thanks and have a nice day!














Correct Answer by Richard Burts about 9 years 3 weeks ago

Sarah


Can you tell us how the switch port is configured to which the PC is connected?


My guess is that the switch port is not configured with port fast. If port fast is not configured then when the switch restarts all of its ports will go through the Spanning Tree stages of listening, learning, forwarding which takes about 45 seconds. During this time the PC interface went down, came back up, and the PC sent the frames. But since the switch port was not in the right state it did not learn the PC MAC address. This does not mean that the PC did not send it, it only means that the switch was not looking for it when the PC sent it.


It makes a significant difference who is up first. If the switch is up and then the PC is booted then the switch will see the initial PC frames. But if the PC is up and then the switch comes up there are issues about whether the switch sees the frames from the PC.


HTH


Rick

Correct Answer by simon.birtles about 9 years 3 weeks ago

Based on a desktop running an IP Stack, the desktop/host sends a gratitous arp for duplicate IP detection during the initilization of the IP Stack, this arp has your hosts nic mac address as the source, therefore your switch learns the source MAC.

Correct Answer by Richard Burts about 9 years 3 weeks ago

Sarah


Thot makes a very good point that Microsoft frequently sends out packets for a variety of services and there is a good possibility that your desktop sent some Microsoft packet.


Another likely possibility is that your desktop sent an ARP response. It is a standard part of most IP stacks that when an interface changes from down to up that it will send an ARP response out the interface (sort of announcing I am here - and also used as a mechanism to detect duplicate IP addresses). So it is likely that you desktop sent an ARP response which would have allowed the switch to learn the MAC of the desktop.


One thing that I can assure you is that if the desktop had not sent ANY frames then the switch would not have learned the MAC of the desktop.


HTH


Rick

Correct Answer by thotsaphon about 9 years 3 weeks ago

Hi sarah,

Sometime a host sends broadcast packets/frames so switch can learn a source mac-address.Many services on host aka microsoft service can send any frames so are you sure that the switch didn't send any packets? When host wants to send a frame to other hosts it needs to use arp-request first so it needs to know what is mac-address of their hosts before sending any frames.


Hopes this helps

Thot

Correct Answer by gstarczewski about 9 years 3 weeks ago

Cisico devices periodically send various frames e.g to discover neighbours. When the frame is a broadcast as ARP request - your host has to answer even that he did not initiated the conversation. The best thing to do is install any sniffer ew. wireshark to see that silent network is not silent at all - there's plenty of traffic in the background.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (6 ratings)
Loading.
Correct Answer
gstarczewski Sat, 04/05/2008 - 08:03
User Badges:

Cisico devices periodically send various frames e.g to discover neighbours. When the frame is a broadcast as ARP request - your host has to answer even that he did not initiated the conversation. The best thing to do is install any sniffer ew. wireshark to see that silent network is not silent at all - there's plenty of traffic in the background.

sarahr202 Sat, 04/05/2008 - 13:53
User Badges:
  • Bronze, 100 points or more

thanks for your reply . I assume you are refering to Cdp. cdp works with only cisco products.Host such as windows xp connected to switch does not understand cdp.

I found it very likely that windows host ping the ip address to make sure it is nor duplicated, which in turn cause the switch to learn the mac address of the host.

i learnt it in one of the replies , i got.

thanks every one for replying me


Correct Answer
thotsaphon Sat, 04/05/2008 - 08:07
User Badges:
  • Gold, 750 points or more

Hi sarah,

Sometime a host sends broadcast packets/frames so switch can learn a source mac-address.Many services on host aka microsoft service can send any frames so are you sure that the switch didn't send any packets? When host wants to send a frame to other hosts it needs to use arp-request first so it needs to know what is mac-address of their hosts before sending any frames.


Hopes this helps

Thot

Correct Answer
Richard Burts Sat, 04/05/2008 - 09:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


Thot makes a very good point that Microsoft frequently sends out packets for a variety of services and there is a good possibility that your desktop sent some Microsoft packet.


Another likely possibility is that your desktop sent an ARP response. It is a standard part of most IP stacks that when an interface changes from down to up that it will send an ARP response out the interface (sort of announcing I am here - and also used as a mechanism to detect duplicate IP addresses). So it is likely that you desktop sent an ARP response which would have allowed the switch to learn the MAC of the desktop.


One thing that I can assure you is that if the desktop had not sent ANY frames then the switch would not have learned the MAC of the desktop.


HTH


Rick

sarahr202 Sun, 04/06/2008 - 16:24
User Badges:
  • Bronze, 100 points or more

hi Rick for your reply.

To day i performed this simple lab. I connected window xp desk top to cisco cat 1900 switch.

After i power up the desktop and switch,i used

show mac-address-table command at the switch. I found desk top mac address there.I restart the switch and use the command(show mac-address-table) again this time i did not find any mac address of desk top.

To me it appears the only time host check if the ip is duplicated is when the host powers up.interfacing going up and down does not cause host to check the ip dupication by pinging which in turn results in switch not learning mac address.

thanks for your help.

Correct Answer
Richard Burts Sun, 04/06/2008 - 16:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sarah


Can you tell us how the switch port is configured to which the PC is connected?


My guess is that the switch port is not configured with port fast. If port fast is not configured then when the switch restarts all of its ports will go through the Spanning Tree stages of listening, learning, forwarding which takes about 45 seconds. During this time the PC interface went down, came back up, and the PC sent the frames. But since the switch port was not in the right state it did not learn the PC MAC address. This does not mean that the PC did not send it, it only means that the switch was not looking for it when the PC sent it.


It makes a significant difference who is up first. If the switch is up and then the PC is booted then the switch will see the initial PC frames. But if the PC is up and then the switch comes up there are issues about whether the switch sees the frames from the PC.


HTH


Rick

sarahr202 Fri, 04/18/2008 - 09:36
User Badges:
  • Bronze, 100 points or more

thanks Rick . I got your point.Thanks for sharing your knowledge with me.

Correct Answer
simon.birtles Sat, 04/05/2008 - 10:15
User Badges:

Based on a desktop running an IP Stack, the desktop/host sends a gratitous arp for duplicate IP detection during the initilization of the IP Stack, this arp has your hosts nic mac address as the source, therefore your switch learns the source MAC.

dancurfman Tue, 04/08/2008 - 08:48
User Badges:

Is the computer set to use DHCP? Perhaps it's requesting an address when you connect it and that's how the switch is learnign the mac address.

Actions

This Discussion