Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9476
Views
9
Helpful
9
Replies

how switch learn mac address

Go to solution
sarahr202
Level 5
Level 5

‎04-05-2008 07:46 AM - edited ‎03-05-2019 10:12 PM

hi every body!

I was reading ccna guide by cisco press about mac address learning, this is what i have found:"when host connecting to a switch, send a frame, switch look at the source mac address and port it came into and record them in mac address table"

that means if host does not send any packet, there should not be any entry for the host's mac address in mac address table right?

I connected desktop to cisco 1900 cat switch.When i use the command "show mac-address-table, i find desktop mac address in switch mac address table.

The question is why as desktop is the only host connected to switch , it cant send any frame to any other host as there is none.How did switch learn the mac address?

To me it appears as switch learn mac addresses of directly connected hosts even they dont send any frame.

I would greatly appreciate any help.

thanks and have a nice day!

Labels:
0 Helpful
5 Accepted Solutions

Accepted Solutions

Go to solution
gstarczewski
Level 1
Level 1

‎04-05-2008 08:03 AM

Cisico devices periodically send various frames e.g to discover neighbours. When the frame is a broadcast as ARP request - your host has to answer even that he did not initiated the conversation. The best thing to do is install any sniffer ew. wireshark to see that silent network is not silent at all - there's plenty of traffic in the background.

View solution in original post

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎04-05-2008 08:07 AM

Hi sarah,

Sometime a host sends broadcast packets/frames so switch can learn a source mac-address.Many services on host aka microsoft service can send any frames so are you sure that the switch didn't send any packets? When host wants to send a frame to other hosts it needs to use arp-request first so it needs to know what is mac-address of their hosts before sending any frames.

Hopes this helps

Thot

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Thotsaphon Lueangwattanaphong

‎04-05-2008 09:59 AM

Sarah

Thot makes a very good point that Microsoft frequently sends out packets for a variety of services and there is a good possibility that your desktop sent some Microsoft packet.

Another likely possibility is that your desktop sent an ARP response. It is a standard part of most IP stacks that when an interface changes from down to up that it will send an ARP response out the interface (sort of announcing I am here - and also used as a mechanism to detect duplicate IP addresses). So it is likely that you desktop sent an ARP response which would have allowed the switch to learn the MAC of the desktop.

One thing that I can assure you is that if the desktop had not sent ANY frames then the switch would not have learned the MAC of the desktop.

HTH

Rick

HTH

Rick

View solution in original post

Go to solution
simon.birtles
Level 1
Level 1

‎04-05-2008 10:15 AM

Based on a desktop running an IP Stack, the desktop/host sends a gratitous arp for duplicate IP detection during the initilization of the IP Stack, this arp has your hosts nic mac address as the source, therefore your switch learns the source MAC.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarahr202

‎04-06-2008 04:48 PM

Sarah

Can you tell us how the switch port is configured to which the PC is connected?

My guess is that the switch port is not configured with port fast. If port fast is not configured then when the switch restarts all of its ports will go through the Spanning Tree stages of listening, learning, forwarding which takes about 45 seconds. During this time the PC interface went down, came back up, and the PC sent the frames. But since the switch port was not in the right state it did not learn the PC MAC address. This does not mean that the PC did not send it, it only means that the switch was not looking for it when the PC sent it.

It makes a significant difference who is up first. If the switch is up and then the PC is booted then the switch will see the initial PC frames. But if the PC is up and then the switch comes up there are issues about whether the switch sees the frames from the PC.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
9 Replies 9

Go to solution
gstarczewski
Level 1
Level 1

‎04-05-2008 08:03 AM

Cisico devices periodically send various frames e.g to discover neighbours. When the frame is a broadcast as ARP request - your host has to answer even that he did not initiated the conversation. The best thing to do is install any sniffer ew. wireshark to see that silent network is not silent at all - there's plenty of traffic in the background.

Go to solution
sarahr202
Level 5
Level 5
In response to gstarczewski

‎04-05-2008 01:53 PM

thanks for your reply . I assume you are refering to Cdp. cdp works with only cisco products.Host such as windows xp connected to switch does not understand cdp.

I found it very likely that windows host ping the ip address to make sure it is nor duplicated, which in turn cause the switch to learn the mac address of the host.

i learnt it in one of the replies , i got.

thanks every one for replying me

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎04-05-2008 08:07 AM

Hi sarah,

Sometime a host sends broadcast packets/frames so switch can learn a source mac-address.Many services on host aka microsoft service can send any frames so are you sure that the switch didn't send any packets? When host wants to send a frame to other hosts it needs to use arp-request first so it needs to know what is mac-address of their hosts before sending any frames.

Hopes this helps

Thot

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Thotsaphon Lueangwattanaphong

‎04-05-2008 09:59 AM

Sarah

Thot makes a very good point that Microsoft frequently sends out packets for a variety of services and there is a good possibility that your desktop sent some Microsoft packet.

Another likely possibility is that your desktop sent an ARP response. It is a standard part of most IP stacks that when an interface changes from down to up that it will send an ARP response out the interface (sort of announcing I am here - and also used as a mechanism to detect duplicate IP addresses). So it is likely that you desktop sent an ARP response which would have allowed the switch to learn the MAC of the desktop.

One thing that I can assure you is that if the desktop had not sent ANY frames then the switch would not have learned the MAC of the desktop.

HTH

Rick

HTH

Rick

Go to solution
sarahr202
Level 5
Level 5
In response to Richard Burts

‎04-06-2008 04:24 PM

hi Rick for your reply.

To day i performed this simple lab. I connected window xp desk top to cisco cat 1900 switch.

After i power up the desktop and switch,i used

show mac-address-table command at the switch. I found desk top mac address there.I restart the switch and use the command(show mac-address-table) again this time i did not find any mac address of desk top.

To me it appears the only time host check if the ip is duplicated is when the host powers up.interfacing going up and down does not cause host to check the ip dupication by pinging which in turn results in switch not learning mac address.

thanks for your help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sarahr202

‎04-06-2008 04:48 PM

Sarah

Can you tell us how the switch port is configured to which the PC is connected?

My guess is that the switch port is not configured with port fast. If port fast is not configured then when the switch restarts all of its ports will go through the Spanning Tree stages of listening, learning, forwarding which takes about 45 seconds. During this time the PC interface went down, came back up, and the PC sent the frames. But since the switch port was not in the right state it did not learn the PC MAC address. This does not mean that the PC did not send it, it only means that the switch was not looking for it when the PC sent it.

It makes a significant difference who is up first. If the switch is up and then the PC is booted then the switch will see the initial PC frames. But if the PC is up and then the switch comes up there are issues about whether the switch sees the frames from the PC.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Richard Burts

‎04-18-2008 09:36 AM

thanks Rick . I got your point.Thanks for sharing your knowledge with me.

0 Helpful

Go to solution
simon.birtles
Level 1
Level 1

‎04-05-2008 10:15 AM

Based on a desktop running an IP Stack, the desktop/host sends a gratitous arp for duplicate IP detection during the initilization of the IP Stack, this arp has your hosts nic mac address as the source, therefore your switch learns the source MAC.

0 Helpful

Go to solution
dancurfman
Level 1
Level 1

‎04-08-2008 08:48 AM

Is the computer set to use DHCP? Perhaps it's requesting an address when you connect it and that's how the switch is learnign the mac address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card