Hello Michel,

> This base MAC address is then used to derive a unique MAC address for 
> individual ports on the switch, both physical and virtual (Port-channels, SVIs, etc.).
I thank it was the opposite, the base MAC address deduced from the address of the lowest number of the port

Algorithmically, both approaches would produce the same results. However, it is easier for a switch management to define its base MAC address and the total number of MAC addresses this device may generate. The device then simply generates a MAC address for each of its ports.

> a SVI must behave just like a router's interface with its own unique MAC address
Sorry for my ignorance. Could you give a few words for SVI frames. Is there an Ethertype?

No apologies needed - on the contrary, I apologize for being unclear The SVI is an acronym for Switched Virtual Interface which is just a fancy name for interface Vlan X. The interface Vlan X for a particular VLAN X is an interface where the switch is assigned its own IP address, and also, if the switch has routing capabilities (i.e. is a multilayer switch), the IP address of this interface will be used by stations in the particular VLAN as the default gateway address. Naturally, when these stations send packets to other networks via this gateway, they will translate the gateway's IP address using ARP into the MAC address, which is one of the reasons why the SVI interface needs to have its own MAC address.

> These MAC addresses are also used as destination MAC addresses for LOOP frames.
I'm interrested in these LOOP frames. Do you refer to OAM in the acess networks?

No, this is something different (although the fact you know about OAM is admirable!). Actually, I suggest you read the following thread. It is quite lengthy but I guess it will answer your questions.

https://supportforums.cisco.com/thread/2001389

As usual - please feel welcome to ask further!

Best regards,

Peter

Hello Michel,

It would seem that the loopback message, with Ethertype = 0x9000, is specific to Cisco could you confirm please?

Well, the LOOP frame was probably meant originally as an Ethernet version of PING, as Giuseppe explained in the thread I have linked. However, this functionality is to my best knowledge not implemented in any major operating system. Cisco appears to reuse these LOOP frames for a different purpose: each switch port sends a LOOP frame to itself (i.e. SMAC=DMAC). If there is no switching loop in the network, such a frame will never arrive back to the port that originated it. However, if there is a switching loop present in the network, this LOOP frame will be received by its originating port which will cause this port to immediately go to err-disabled state.

I didn't see it in 802.1Q-2011, but I have to check again.

I do not think it is described there. It was part of the original Ethernet II DIX specification but I do not believe it was retaken into IEEE Ethernet. In the thread I've linked, Giuseppe provided links to a PDF and a LWN discussion about the Ethernet Configuration Test Protocol suite which the LOOP message is a part of.

Best regards,

Peter

Hello Michel,

So, the LOOP frame is not a candidate to have the remote switch port adress in DA of the MAC frame.

No, it is not. In LOOP frames as used by Cisco, both the source and destination MAC address are set to the same address of the port that sent the frame.

Suppose a switch with a function of IP routing. What is the address  in the DA field if the IP datagram which is carried in the MAC frame has  to be sent to the router part?
Is it the MAC switch port address or the base MAC address of the switch?

Actually, it will be neither of these two. It will be the MAC address of the interface Vlan X interface (the SVI) for the VLAN in which the frame was received. The MAC address of a SVI is derived from the switch base MAC address but it is unique - i.e. not shared by any other switchport or other SVI.

Best regards,

Peter

Hello Michel,

So, we don't have an example where the remote switchport address is  inserted in the DA field of the MAC frame, in the LAN domain.

Quite correct. I do not know of any protocol that would use this kind of addressing.

It shall be said that the usage of MAC addresses as described in this thread is typical for Cisco Catalyst switches. Other vendors may use MAC addresses differently so I suggest caution when thinking about switches of different types or vendors.

You are very much welcome!

Best regards,

Peter

Hello Michel,

To be honest, I would not try to characterize MAC addresses and their usage based on management, control or data plane. You have to consider the fact that in our usual networks, we mostly have in-band control and management, meaning that the management of the switches and their control is done along with the data traffic, using the same ports, pathways and bandwidth. This is in quite a contrast to telecommunications equipment where management and control plane had a separate topology independent from data pathways.

In addition, different layer protocols would differ in their MAC address usage. Layer2 control protocols (STP, VTP, CDP, DTP, LLDP, PAgP, LACP, LOOP, ...) mostly use the switchport MAC addresses as sources. Layer3 control protocols (all routing protocols, first hop redundancy protocols like HSRP, VRRP, GLBP, Telnet/SSH/SNMP, ...) are sent from L3 interfaces which is mostly SVIs, so their messages would be ultimately encapsulated using SVI MAC addresses as sources. So the criterion of management/control vs. data plane traffic does not really define anything.

There is one thing I realized during our discussions: with the Layer2 control protocols mentioned above, it is actually necessary to use switchport MAC addresses as sources. Using the base MAC address of a switch would be bad: imagine STP BPDUs being sent from multiple ports towards a single neighboring switch (assume they're interconnected with multiple links). If the base MAC address was used as a source MAC address in all outgoing BPDUs, the opposite switch would complain about the same source MAC address flapping between its own ports which would be true. It is in fact necessary that for Layer2 control protocols that are used by switches to communicate among themselves, the messages sourced by individual switchports must be sourced from unique MAC addresses.

I am not sure if this helps... it's quite convoluted.

Best regards,

Peter

Hello Michel,

I apologize... while I agree with most of what you wrote, I am not quite sure where you're heading. I do not entirely understand the meaning and the context. Perhaps if you could clarify it a little bit... I am really sorry for not being able to understand better.

Best regards,

Peter

Hello Michel,

You are very much welcome. You pose some very good questions!

What is the relation between the address of the management port and the base MAC address of the switch?

Well, what is a management port? Cisco Catalyst series 2960 up to 3750 usually do not have any dedicated Ethernet port just for management (some of them do, most don't). In any case, let me show you a 3560G:

SW-Dist1#show version | include MAC

Base ethernet MAC Address       : 00:26:0A:54:BB:80

SW-Dist1#show interfaces gi0/1 | include bia

  Hardware is Gigabit Ethernet, address is 0026.0a54.bb81 (bia 0026.0a54.bb81)

SW-Dist1#show interfaces gi0/2 | include bia

  Hardware is Gigabit Ethernet, address is 0026.0a54.bb82 (bia 0026.0a54.bb82)

SW-Dist1#show interfaces gi0/3 | include bia

  Hardware is Gigabit Ethernet, address is 0026.0a54.bb83 (bia 0026.0a54.bb83)

Notice that the MAC addresses of individual switchports form an increasing sequence depending on their position in the switch. As I see it, the switch internally enumerates its ports and assigns MAC addresses to its ports in the ascending order of the internal enumeration.

Best regards,

Peter

Hello Michel,

In fact, it would seem that switches which can be managed remotly by  SNMP for example, have a port management, not necessarily physically  connected to the LAN.

Alright, I get your point. With port, we usually mean a physical connector somewhere on the switch. What you are talking about is a logical interface that provides IP connectivity of the manageable entity inside the switch to the surrounding IP network.

With Catalyst switches, such a management interface is a SVI interface, i.e. any interface Vlan X interface. In fact, every SVI is considered a management interface on Catalysts. Regardless of which IP address configured on SVIs you send packets to, they will all be received and processed by the switch. The MAC addresses of these SVIs are also derived from the base MAC address of the switch:

SW-Dist1#show ver | i MAC
Base ethernet MAC Address       : 00:26:0A:54:BB:80
SW-Dist1#show int Vlan1 | i bia
  Hardware is EtherSVI, address is 0026.0a54.bbc0 (bia 0026.0a54.bbc0)
SW-Dist1#show int Vlan5 | i bia
  Hardware is EtherSVI, address is 0026.0a54.bbc1 (bia 0026.0a54.bbc1)
SW-Dist1#show int Vlan11 | i bia
  Hardware is EtherSVI, address is 0026.0a54.bbc2 (bia 0026.0a54.bbc2)
SW-Dist1#show int Vlan12 | i bia
  Hardware is EtherSVI, address is 0026.0a54.bbc3 (bia 0026.0a54.bbc3)

Even here you can see that the SVI addresses start with certain offset from the base MAC and then proceed sequentially.

Best regards,

Peter