cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5878
Views
0
Helpful
7
Replies

Static entries in mac address table.

speculor_cisco
Level 1
Level 1

I was reading 2950 switch and 2960 switch Software Configuration Guides in order to understand static addresses in the mac address table.

The text is often not very clear. This is an example from 2960 switch Software Configuration Guide:

"You can add and remove static addresses and define the forwarding behavior for them.

The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission.

Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify.

You can specify a different list of destination ports for each source port."

In some cases I have found errors. This is an example from 2960 switch Software Configuration Guide:

"All addresses are associated with a VLAN.

An address can exist in more than one VLAN and have different destinations in each.

Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5."

And here the same concept from 2950 switch Software Configuration Guide:

"All addresses are associated with a VLAN.

An address can exist in more than one VLAN and have different destinations in each.

Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5."

I do not want to discuss the details but I want to talk about the following concept.

I had understood that in a dynamic entry like the following:

VLAN               MAC                INTERFACE

  10         1111.1111.1111            Fa0/1

VLAN 10 on the left was the VLAN of interface Fa0/1 on the right as this is an entry dinamically learned by the switch.

Now I have understood that with static addresses these informations must be interpreted differently:

every frame received on an interface belonging to VLAN 10 with destination address 1111.1111.1111 must be forwarded out

interface fa0/1. This interpretation is good also for dynamic entries and this is quite ok.

But with this interpretation, I could set static entries and forwarding frames beetween interfaces in different VLANs.

I do not know if this is possible only with multicast or also with unicast frames, but I am quite surprised because all

texts I had read say that VLANs in a switch are separated. May be they refer to dynamic entries only, which are built

by the switch during its normal work without human setting.

I can not try some scenarios because my simulator do not have the right complete commands.

What do you think about this argument?

Thanks.

7 Replies 7

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

What the documentation said is correct. When you add static MAC entries into

the switch and assign it to a VLAN, the switch will make its forwarding

table based on that information. When it gets a packet in VLAN 1 for that

destination MAC, it will lookup the VLAN 1 portion of the table and then

send the packet to VLAN 1 port where the MAC address has been registered (or

statically configured). Same phenomena repeat for VLAN 5 as well. That is

the reason it is stressed that the MAC address should be "UNICAST". In

multicast, when you register same MAC address on multiple ports across

different vlans, the switch will forward every packet destined to that MAC

address to all registered ports irrespective of the source/destination

vlans. Unicast traffic cannot jump beyond the vlans without going through

routing process.

Hope this helps.

Regards

NT

Thanks for the answer.

"Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5."

I have not understood if it is the same mac address that is forwarded in the same time.

In this case, could you write an example of static entries in order to make this possible?

I have added an image with a simple scenario: a switch and two computers.

Suppose I add the following two static entries in the mac address table of the switch:

Vlan           Mac address             Type              Port

10           2222.2222.2222            static              Fa0/2

20           1111.1111.1111            static              Fa0/1

Are you sure that, even if the two computers belong to different vlans, they can not communicate?

I am interested to the switch forwarding logic.

I am not considering ip addresses and arp tables, but it should not be a problem.

Thanks.

Hello Matteo,

>> Are you sure that, even if the two computers belong to different vlans, they can not communicate?

yes, because the CAM table uses the Vlan value on receiving port as a way to restrict research of possible destination ports.

Each L2 Vlan is a separated broadcast domain.

IF a frame with broadcast or multicast or unknown unicast is received  on port 1 Vlan 10 the frame is sent out all ports in Vlan 10 except the port on which the frame has been received. So the frame cannot receive a device on vlan 20.

This has been the key differentiator between LAN switches and their predecessors bridges that had all ports in the same Vlan.

Hope to help

Giuseppe

Hello Nagaraja,

>> In

multicast, when you register same MAC address on multiple ports across

different vlans, the switch will forward every packet destined to that MAC

address to all registered ports irrespective of the source/destination

vlans

each kind of frame including frames with a multicast are confined in the broadcast domain of the port that has received the frame.

The same MAC address can be seen in different Vlans, this typically happens when connecting devices on a L2 trunk port for example router interfaces with different Vlan based subinterfaces use the same MAC address on all Vlans/subinterfaces.

if the receiving port is a L2 trunk the frame is tagged with a Vlan-id information and again the switch will look for the destination in the Vlan portion of CAM table.

there is no jumping to a different Vlan in a single switch even for multicast traffic.

There are some forms of L2 attacks that could be able to move traffic over a different vlan by sending traffic tagged to an access-port.

Modern implementations on access ports should accept untagged frames or frames with vlan-id = vlan associated to the access port. Frames with a vlan-id set but different are discarded.

Hope to help

Giuseppe

I have added an image with a simple scenario: a switch and two computers.

Suppose I add the following two static entries in the mac address table of the switch:

Vlan           Mac address             Type              Port

10           2222.2222.2222            static              Fa0/2

20           1111.1111.1111            static              Fa0/1

Are you sure that, even if the two computers belong to different vlans, they can not communicate?

I am interested to the switch forwarding logic.

I am not considering ip addresses and arp tables, but it should not be a problem.

Thanks.

Hello Giuseppe.

I know what you say and all was ok with dynamic entries.

Some doubts arose when I have begun to consider static entries.

For example:

vlan            mac address                port

10        AAAA.AAAA.AAAA          fa0/4   

I consider this entry in this way:

when a frame is received at an interface belonging to vlan 10, forward that frame

if has mac address  AAAA.AAAA.AAAAA out port fa0/4.

If port fa0/4 does not belong to vlan 10, what happens?

When I enter that static entry, I do not know if the switch checks if the port fa0/4 is in

vlan 10. Or the switch checks this before forwarding the frame? With dynamic entries

there were not problems, the vlan field always was equal to the vlan of the port in each entry.

Now, with static entries, I am not so sure.

Thanks. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco