cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
580
Views
10
Helpful
13
Replies

Regarding MAC entries

chandra_rc16
Level 4
Level 4

Will all the MAC entries for a Port gets cleared once it goes down.

Example:

Assume that Fa0/1 port has 5 MAC addresses that can be reached through it. So when there is physical link failure on Fa0/1 or else i have given a shutdown command on Fa0/1. Will the entries get flushed from Fa0/1 port ?

Don't mind if it looks like a silly question !!!

Thanks in advance.

Regards,

Chandu

Regards, Chandu
5 Accepted Solutions

Accepted Solutions

Sandeep Choudhary
VIP Alumni
VIP Alumni

@Peter:

I am not sure but If you statically assign the mac address to the ports then I think it will not flush even after the shut.

Dynamic lerned mac:; Cisco switches automatically purge MAC address in their tables if that  MAC address isn't contacted within a certain period of time.

Regards

View solution in original post

Sandeep,

You are absolutely correct; static MAC entries do not expire and do not get flushed even if the port is down. I did not want to confuse things, however; static MAC address entries are rarely used.

Best regards,

Peter

View solution in original post

Hi Chandrakanth,

A Static MAC address is one that has been manualy input (typed via a command) into the CAM or MAC address table.

A dynamic MAC address is one that has been learned via an arp request.

The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.

Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.

Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.

Regards

Hope it helps.

View solution in original post

Chandu,

The need for static MAC addresses is rather small.

In some cases, you have a station that seldom, if ever, sends frames. In that case, it is almost certain that the switches will not learn its MAC address, and will flood the frames for that station throughout the network. If you want to prevent this, you can set up the MAC addresses statically.

In another cases, configuring a static MAC prevents it from ever being learned on a different interface. It is a way of saying "the station is either connected to this port or it is not going to receive frames at all", forcing the station to be connected to a predefined port.

Static MAC addresses can also be used as a crude form of traffic filtering - the mac address-table static command has a drop action for a MAC address, causing the traffic for it to be immediately dropped.

When using port-security, static secure MAC address are also static in the usual sense, so the port-security depends on the concept of static addresses.

But to be honest, I never needed to configure a static MAC address entry myself so far.

Best regards,

Peter

View solution in original post

Hi Sandeep,

A dynamic MAC address is one that has been learned via an arp request.

Uh-oh, I am afraid you are doing the common mistake of confusing the ARP table with the MAC address table. Switches by definition use MAC tables, mapping connected stations to ports. ARP tables map MAC addresses to IP addresses, and they are not used in pure Layer2 switching. A dynamic MAC address is the one that has been learned simply by looking at the source MAC address of an incoming frame.

Also, we have to be careful about static MAC addresses and static secure MAC addresses. Static MAC addresses are those configured by mac address-table static command and similar to static routes in routers. There is no security connotation to them. Static secure MAC addresses are a particular feature of the Port Security, and while related to static MAC addresses (they use them internally), they are a somewhat different concept.

Best regards,

Peter

Best regards,

Peter

View solution in original post

13 Replies 13

Peter Paluch
Cisco Employee
Cisco Employee

Hi Chandu,

As soon as a switchport goes down, all MAC addresses learned on that port are flushed. Otherwise, the switch would be trying to forward the frames out an inoperable port, causing them to get lost.

Best regards,

Peter

Sandeep Choudhary
VIP Alumni
VIP Alumni

@Peter:

I am not sure but If you statically assign the mac address to the ports then I think it will not flush even after the shut.

Dynamic lerned mac:; Cisco switches automatically purge MAC address in their tables if that  MAC address isn't contacted within a certain period of time.

Regards

Sandeep,

You are absolutely correct; static MAC entries do not expire and do not get flushed even if the port is down. I did not want to confuse things, however; static MAC address entries are rarely used.

Best regards,

Peter

chandra_rc16
Level 4
Level 4

Thanks both for the info.

Can you please let me know the case where static MAC's are used ?

Regards,

Chandu

Regards, Chandu

HI Chandrakanth,

config mode:

conf t

interface xxx

switchport port-security maximum 5

switchport port-security mac-address 4083.de08.7bb1

switchport port-security mac-address 4083.de09.0de2

switchport port-security mac-address 4083.de08.7bb3

switchport port-security mac-address 4083.de09.0de4

switchport port-security mac-address 4083.de09.0de5

this is the way to assigh the mac address to a port.

Regards

Hi Sandeep,

Thanks for the steps but i didn't understood when to assign and why ?

I just know that static entries are used for the port-security purpose for prohibiting unauthorized access. But is that the only reason or do we have any more reasons to use static macs ?

Regards, Chandu

Hi Chandrakanth,

A Static MAC address is one that has been manualy input (typed via a command) into the CAM or MAC address table.

A dynamic MAC address is one that has been learned via an arp request.

The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.

Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.

Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.

Regards

Hope it helps.

Hi Sandeep,

A dynamic MAC address is one that has been learned via an arp request.

Uh-oh, I am afraid you are doing the common mistake of confusing the ARP table with the MAC address table. Switches by definition use MAC tables, mapping connected stations to ports. ARP tables map MAC addresses to IP addresses, and they are not used in pure Layer2 switching. A dynamic MAC address is the one that has been learned simply by looking at the source MAC address of an incoming frame.

Also, we have to be careful about static MAC addresses and static secure MAC addresses. Static MAC addresses are those configured by mac address-table static command and similar to static routes in routers. There is no security connotation to them. Static secure MAC addresses are a particular feature of the Port Security, and while related to static MAC addresses (they use them internally), they are a somewhat different concept.

Best regards,

Peter

Best regards,

Peter

Hi Peter,

Thanks for such a nice explanation.

You are right but as per my knowledge i wrote this because  :

A dynamic MAC address is one that has been learned via an arp request.

They could also be learned via arp replies and also by other type of traffic......


For example if a switch learns the MAC address from another device then it has dynamically sourced the MAC address.

Say Computer A is connected to Switch-1, Switch-1 is connected to Switch-2
Now you issued command "#sh mac-address-table" in Switch-2 it will learn the Computer A mac address dynamically from Switch-1

Regards

Sandeep

Hi Sandeep,

Say Computer A is connected to Switch-1, Switch-1 is connected to Switch-2

Now you issued command "#sh mac-address-table" in Switch-2 it will learn the Computer A mac address dynamically from Switch-1

Well, Switch-2 will learn the MAC address of computer A only if a frame from computer A ever arrives to Switch-2. The Switch-2 alone has absolutely no way of asking either the computer A or Switch-1 about the MAC addresses. Mentioning ARP in the context of Layer2 switching is especially dangerous because it appears to be closely related while in reality, Layer2 switching is absolutely independent on ARP and does not use it at all. After all, IPv6 does not use ARP either, and yet Layer2 switches do not care

Best regards,

Peter

Hi Peter ,
I got your point :)

You are Right :)
+5 from my side.

Regards

Sent from Cisco Technical Support iPhone App

Chandu,

The need for static MAC addresses is rather small.

In some cases, you have a station that seldom, if ever, sends frames. In that case, it is almost certain that the switches will not learn its MAC address, and will flood the frames for that station throughout the network. If you want to prevent this, you can set up the MAC addresses statically.

In another cases, configuring a static MAC prevents it from ever being learned on a different interface. It is a way of saying "the station is either connected to this port or it is not going to receive frames at all", forcing the station to be connected to a predefined port.

Static MAC addresses can also be used as a crude form of traffic filtering - the mac address-table static command has a drop action for a MAC address, causing the traffic for it to be immediately dropped.

When using port-security, static secure MAC address are also static in the usual sense, so the port-security depends on the concept of static addresses.

But to be honest, I never needed to configure a static MAC address entry myself so far.

Best regards,

Peter

Thanks peter for the more eloborated information.

Regards, Chandu
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: