08-29-2010 05:28 AM - edited 03-06-2019 12:42 PM
I was reading 2950 switch and 2960 switch Software Configuration Guides in order to understand static addresses in the mac address table.
The text is often not very clear. This is an example from 2960 switch Software Configuration Guide:
"You can add and remove static addresses and define the forwarding behavior for them.
The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission.
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify.
You can specify a different list of destination ports for each source port."
In some cases I have found errors. This is an example from 2960 switch Software Configuration Guide:
"All addresses are associated with a VLAN.
An address can exist in more than one VLAN and have different destinations in each.
Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5."
And here the same concept from 2950 switch Software Configuration Guide:
"All addresses are associated with a VLAN.
An address can exist in more than one VLAN and have different destinations in each.
Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5."
I do not want to discuss the details but I want to talk about the following concept.
I had understood that in a dynamic entry like the following:
VLAN MAC INTERFACE
10 1111.1111.1111 Fa0/1
VLAN 10 on the left was the VLAN of interface Fa0/1 on the right as this is an entry dinamically learned by the switch.
Now I have understood that with static addresses these informations must be interpreted differently:
every frame received on an interface belonging to VLAN 10 with destination address 1111.1111.1111 must be forwarded out
interface fa0/1. This interpretation is good also for dynamic entries and this is quite ok.
But with this interpretation, I could set static entries and forwarding frames beetween interfaces in different VLANs.
I do not know if this is possible only with multicast or also with unicast frames, but I am quite surprised because all
texts I had read say that VLANs in a switch are separated. May be they refer to dynamic entries only, which are built
by the switch during its normal work without human setting.
I can not try some scenarios because my simulator do not have the right complete commands.
What do you think about this argument?
Thanks.
08-29-2010 07:53 AM
Hello,
What the documentation said is correct. When you add static MAC entries into
the switch and assign it to a VLAN, the switch will make its forwarding
table based on that information. When it gets a packet in VLAN 1 for that
destination MAC, it will lookup the VLAN 1 portion of the table and then
send the packet to VLAN 1 port where the MAC address has been registered (or
statically configured). Same phenomena repeat for VLAN 5 as well. That is
the reason it is stressed that the MAC address should be "UNICAST". In
multicast, when you register same MAC address on multiple ports across
different vlans, the switch will forward every packet destined to that MAC
address to all registered ports irrespective of the source/destination
vlans. Unicast traffic cannot jump beyond the vlans without going through
routing process.
Hope this helps.
Regards
NT
08-29-2010 10:10 AM
Thanks for the answer.
"Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5."
I have not understood if it is the same mac address that is forwarded in the same time.
In this case, could you write an example of static entries in order to make this possible?
08-29-2010 12:57 PM
I have added an image with a simple scenario: a switch and two computers.
Suppose I add the following two static entries in the mac address table of the switch:
Vlan Mac address Type Port
10 2222.2222.2222 static Fa0/2
20 1111.1111.1111 static Fa0/1
Are you sure that, even if the two computers belong to different vlans, they can not communicate?
I am interested to the switch forwarding logic.
I am not considering ip addresses and arp tables, but it should not be a problem.
Thanks.
08-29-2010 01:36 PM
Hello Matteo,
>> Are you sure that, even if the two computers belong to different vlans, they can not communicate?
yes, because the CAM table uses the Vlan value on receiving port as a way to restrict research of possible destination ports.
Each L2 Vlan is a separated broadcast domain.
IF a frame with broadcast or multicast or unknown unicast is received on port 1 Vlan 10 the frame is sent out all ports in Vlan 10 except the port on which the frame has been received. So the frame cannot receive a device on vlan 20.
This has been the key differentiator between LAN switches and their predecessors bridges that had all ports in the same Vlan.
Hope to help
Giuseppe
08-29-2010 12:47 PM
Hello Nagaraja,
>> In
multicast, when you register same MAC address on multiple ports across
different vlans, the switch will forward every packet destined to that MAC
address to all registered ports irrespective of the source/destination
vlans
each kind of frame including frames with a multicast are confined in the broadcast domain of the port that has received the frame.
The same MAC address can be seen in different Vlans, this typically happens when connecting devices on a L2 trunk port for example router interfaces with different Vlan based subinterfaces use the same MAC address on all Vlans/subinterfaces.
if the receiving port is a L2 trunk the frame is tagged with a Vlan-id information and again the switch will look for the destination in the Vlan portion of CAM table.
there is no jumping to a different Vlan in a single switch even for multicast traffic.
There are some forms of L2 attacks that could be able to move traffic over a different vlan by sending traffic tagged to an access-port.
Modern implementations on access ports should accept untagged frames or frames with vlan-id = vlan associated to the access port. Frames with a vlan-id set but different are discarded.
Hope to help
Giuseppe
08-29-2010 01:07 PM
I have added an image with a simple scenario: a switch and two computers.
Suppose I add the following two static entries in the mac address table of the switch:
Vlan Mac address Type Port
10 2222.2222.2222 static Fa0/2
20 1111.1111.1111 static Fa0/1
Are you sure that, even if the two computers belong to different vlans, they can not communicate?
I am interested to the switch forwarding logic.
I am not considering ip addresses and arp tables, but it should not be a problem.
Thanks.
08-29-2010 02:12 PM
Hello Giuseppe.
I know what you say and all was ok with dynamic entries.
Some doubts arose when I have begun to consider static entries.
For example:
vlan mac address port
10 AAAA.AAAA.AAAA fa0/4
I consider this entry in this way:
when a frame is received at an interface belonging to vlan 10, forward that frame
if has mac address AAAA.AAAA.AAAAA out port fa0/4.
If port fa0/4 does not belong to vlan 10, what happens?
When I enter that static entry, I do not know if the switch checks if the port fa0/4 is in
vlan 10. Or the switch checks this before forwarding the frame? With dynamic entries
there were not problems, the vlan field always was equal to the vlan of the port in each entry.
Now, with static entries, I am not so sure.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide