cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
9
Replies

C3750X behaviour on MAC limit exhaustion

Iulian Vaideanu
Level 4
Level 4

I'm trying to find out what happens after the maximum number of MAC addresses (12K for the "richest" SDM template) is reached on a C3750X.  Does the switch ignore (drop frames from) additional MAC addresses?  Does it flood all Vlan traffic to ports where additional ("unlearnable") MACs come from?  Bottom line, will new MACs (devices) have connectivity?

Thank you.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

I couldn't say for sure without testing but I would be very surprised if the switch dropped them.

The behaviour of all switches, as far as I am aware, is to simply treat them as unknown and flood them to all ports.

Jon

So the switch will flood frames sourced by a new ("unlearnable") MACs to all ports in that Vlan, and it will also flood frames intended for these "unlearnable" MACs to all ports in the Vlan?  If so, does it mean that the only drawback of MAC limit exhaustion is this extra, useless, traffic?

All ports are downlinks to other switches which I assume would "fix" this, so security is not an issue yet...  I also noticed a significant increase in CPU usage (by the "HLFM address lea[rn]" process), but still manageable (up to ~70%)...

So the switch will flood frames sourced by a new ("unlearnable") MACs to all ports in that Vlan

not necessarily. Switches forward based on destination mac so even if the source mac is unknown the destination might be.

and it will also flood frames intended for these "unlearnable" MACs to all ports in the Vlan?

as far as I am aware yes it will. It's called unicast flooding and happens when the mac address table is full.

If so, does it mean that the only drawback of MAC limit exhaustion is this extra, useless, traffic?

Yes but it can be a big drawback ie. you suddenly have a lot more broadcast type activity on your network.

I'm not sure I fully follow your comment about all ports being to other switches ie. are you saying that the other switches do know the destination mac address ? 

Jon

Now that I'm thinking, I'm not sure I fully understand my comment either :), but an interesting scenario comes to mind:  let's say the "exhausted" C3750X receives a frame intended for an unknown MAC, so it floods it.  One of the connected switches receives the frame, looks for its destination MAC and finds it on its uplink interface (that is, towards the C3750X), so it sends the frame back to the C3750X, and so on...  are such loops possible?

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I believe the received frame will not be sent back on its ingress port.

It wouldn't be for an unknown MAC.  For a "known" MAC, it would normally be sent to the corresponding egress port, but again, (hopefully) the switch won't do send to the ingress port.

No I don't believe such loops are.

If the switch looks in it's mac address table and finds that the port to send it out on is the same port it was received on it will simply drop it.

This is called filtering and is a logical thing to do because what benefit would there be in sending it back ie. where it came from has already seen it.

The way I initially interpreted your comment about the ports being to other switches was that because the flooding was only going to other switches ie. no end devices, then a person with a packet capture tool would not be able to see the traffic.

This is also a logical assumption providing the switch that has exhausted it mac address table has no end devices.

Jon

I guess that's what I was initially thinking - downstream switches would not flood traffic to end users - but then I began wondering what a downstream switch would do with a flooded packet and the loop scenario popped up...

It does indeed make sense that a switch would drop frames intended for the port they came from (some sort of "negated layer2 urpf" :)), and hopefully this would happen for both known and unknown MACs, as Joseph noted.

And another question, on the same subject:  when the table is full, does the switch employ more aggressive MAC address aging / learning?  I'm trying to find an explanation for the high CPU load due to that "HLFM address lea[rn]" process...

and hopefully this would happen for both known and unknown MACs, as Joseph noted.

It will indeed although for different reasons ie. -

1) known because of filtering as I described

2) unknown because of the general rule about switches flooding the frames to all ports except the one it was received on

when the table is full, does the switch employ more aggressive MAC address aging / learning?

I don't know is the short answer.

I'll have a hunt around to see if I can find a definite answer.

Jon

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Keep in mind, unicast flooding is like broadcast flooding, but if there's even one bulk flow running at line rate, that flow is replicated to all the other ports.  Your switched network starts to perform more like a shared hub network, or even worse.  The latter because sometimes switch hardware is not optimal for replicating high volumes to all other ports and also because packets will queue on port egress and sender needs to rely on end-to-end loss detection instead of local NIC insertion loss detection.

Review Cisco Networking for a $25 gift card