Re: can switch learn MAC address from a 0x0800 packet?

seanxiao · ‎02-11-2024

Thanks in advance!

I have a problem that Cognex scanning gun cannot actively refresh its ARP on core switch (cisco WS-C6506). Say, if scanning gun A has an IP address C, and gun A is faulty needing to be replaced by gun B with IP address C. The ARP that maps MAC B and IP C will not take effect in network.

Then I sniffer the packet with wireshark on acces switch which the scanning gun (whatever gun A or B)is connected to, I some times found there is no ARP packet but only UDP packet (Type : IPv4 0x0800 in Type field of Ethernet II header), and its destination IP is the broadcast IP of that subnet. So, my first question is can the TCP/IP-enabled device under that subnet (VLAN), including the gateway (SVI of the subnet), refresh the ARP of the scanning gun by reading that broadcast UDP packet?

then, I some times found the scanning gun can send out arp announcement, but the ARP announcement will not pass through the port-channel to core switch.I put the configuration of the both end of that port-channel down below.

Currently, we have found two workarounds that can effectively solve the above issue but WHY is that? How can it be explained technically?
• Manually clear the ARP entry (say, gun A map with IP C) from core switch, which will trigger the core switch to actively send an ARP request message to the network to obtain the scanning gun (say, gun B)'s ARP response and update the ARP entry (new MAC address).
• Enable the Spanning-Tree Protocol feature "spanning-tree portfast" on the switch port where the scanning gun is connected.

Note：this issue is NOT happening to laptop or IP projector. We tested with a HP laptop and a Epson IP projector. Both can proactively refresh the ARP without spanning-tree portfast or manual ARP clearance.

===configuration for reference====

coreswitch#show run inter port-channel 8 !! this is the port-channel connected to ACCESS Switch
Building configuration...

Current configuration : 325 bytes
!
interface Port-channel8
description rhost="zhasw008" rint="Po1" trunk="Y" chan="Y" speed="2Gb" dept="Cylinder Block" phsrp="zhars001" shsrp="zhars002" desc="B4 Cabinet"
switchport
switchport mode trunk
switchport trunk allowed vlan 108,200,2508,2512,2518
logging event link-status
service-policy input CoreMark1
end

coreswitch#show interfaces port-channel 8 etherchannel
Age of the Port-channel = 135d:13h:20m:15s
Logical slot/port = 46/8 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Port security = Disabled
Fast-switchover = disabled
Fast-switchover Dampening = disabled
Load share deferral = disabled
Is fex host PO = FALSE

Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------------+------------------+-----------
1 FF Gi1/3/8 On 8
0 FF Gi2/3/8 On 8

Time since last port bundled: 10d:20h:47m:26s Gi1/3/8
Time since last port Un-bundled: 10d:20h:50m:30s Gi2/3/8

ACCESSSWITCH#show run inter port-channel 1 !!this is the port-channel connected to Core Switch
Building configuration...

Current configuration : 134 bytes
!
interface Port-channel1
description zhars001 PO8
switchport trunk allowed vlan 108,200,2508,2512,2518
switchport mode trunk
end

ACCESSSWITCH#show interfaces port-channel 1 etherchannel
Age of the Port-channel = 10d:20h:51m:06s
Logical slot/port = 35/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = -
Port security = Disabled
Fast-switchover = disabled
Fast-switchover Dampening = disabled

Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/1/1 On 0
0 00 Gi2/1/1 On 0

Time since last port bundled: 10d:20h:50m:44s Gi1/1/1

ACCESSSWITCH#show run interface gigabitEthernet 2/0/43 !!this is the interface scanning gun connected to
Building configuration...

Current configuration : 150 bytes
!
interface GigabitEthernet2/0/43
description FA STN710 CPR403-710
switchport access vlan 2518
switchport mode access
spanning-tree portfast !! if I remove this spanning-tree portfast command, issue occurs. If put the command here, no issue.
end

ACCESSSWITCH#show interfaces gigabitEthernet 2/0/43 !! this is the full configuration of the port scanning gun is connected to

GigabitEthernet2/0/43 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 9077.ee1a.8cab (bia 9077.ee1a.8cab)
Description: FA STN710 CPR403-710
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 1w2d, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
184534 packets input, 13367442 bytes, 0 no buffer
Received 7539 broadcasts (372 multicasts)
0 runts, 0 giants, 0 throttles
17 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 372 multicast, 0 pause input
0 input packets with dribble condition detected
1535426 packets output, 114110827 bytes, 0 underruns
Output 304233 broadcasts (955307 multicasts)
0 output errors, 0 collisions, 4 interface resets
360 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
zhasw008#show mac ad
zhasw008#show mac address-table inter

ACCESSSWITCH#show mac address-table interface gigabitEthernet 2/0/43
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
2518 00d0.2484.f396 DYNAMIC Gi2/0/43
Total Mac Addresses for this criterion: 1

MHM Cisco World · ‎02-11-2024

Can you more elaborate about spanning tree portfast

MHM

balaji.bandi · ‎02-12-2024

what model of Core and Access switch and what IOS code running on the devices ?

how is your Port-channel Load-balance taking place configured.

show etherchan load-balance

when you clear the arp that works means the arp are not clearing as expected - when the Device change with same IP - i would expect Core acting as layer 3 (should clear arp, depends on the config) - if not some time we need to clear arp entry (default value time i remember top of my head is 4 hours).

Since you mentioned PC works find and only happening with scanning device, this should be the device issue as i suspect for now. what kind - i have seen this issue some time in the medical devices, to remidiate what we have did is add static arp entry on the core switch to fix the issue (this may not be solution - just advise) - since we do not have any control on the scanning device, what is inside and how this is configured ( reserve the DHCP static reservation and static arp entry on the core fixed my issue)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

seanxiao · ‎02-12-2024

thanks for your great support. Yes the core switch is a layer 3 switch. All gateway (SVI) is created on it.

ACCESSSWITCH#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address

fniccola · ‎02-12-2024

ciao!

let me share with you a good document related to UDP broadcast packets handling

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/15-mt/iap-15-mt-book/iap-bph.html#GUID-697E9340-CCAE-40A7-BD73-94EFA8538D98

I'm not sure it could be useful for your situation, but you can verify it.

Also, regarding you question:

"So, my first question is can the TCP/IP-enabled device under that subnet (VLAN), including the gateway (SVI of the subnet),
refresh the ARP of the scanning gun by reading that broadcast UDP packet?"

Unfortunately I never seen a situation like this in a production environment. What I can think is:

a client has, into its ARP table, the IP A mapped with mac A, this device fails, and the new device has IP A but mac B,
usually what happen, is an ARP process and the client can refresh its ARP entry correctly.
In this situation however, the new device sends an UDP broadcast packet, if this packet arrive on the client,
it could be refresh the arp table simply because there is the same IP A with a new mac B into the packet.

You could test this, by using a traffic generator (scapy for example) and send the udp broadcast packet to a client, to verify its behavior.

TKK
FabioN

seanxiao · ‎02-12-2024

Thanks for your great help, but the situation is whatever the scanning gun sent to the network, a UDP broadcast, or a ARP announcement, ARP entry is mostly not refreshed unless I enable spanning-tree portfast on the port or conduct a manual clearance on core switch. But how spaning-tree is a must here?

fniccola · ‎02-12-2024

ciao!

ok, so the problem is present also by using a classic ARP process?

then, can you share the output of show spanning-tree vlan <xyz> when the portfast is NOT configured under the interface and also after enabled it?

thanks for patience

TKK
FabioN

seanxiao · ‎02-12-2024

it's me thanking you bro.

CORESWITCH#show spanning-tree vlan 2518

VLAN2518
Spanning tree enabled protocol rstp
Root ID Priority 10710
Address 6073.5c84.ec00
This bridge is the root
Hello Time 1 sec Max Age 6 sec Forward Delay 4 sec

Bridge ID Priority 10710 (priority 8192 sys-id-ext 2518)
Address 6073.5c84.ec00
Hello Time 1 sec Max Age 6 sec Forward Delay 4 sec
Aging Time 480

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po8 Desg FWD 3 128.5768 P2p
Po502 Desg FWD 3 128.5799 P2p
Po503 Desg FWD 3 128.5800 P2p

ACCESSSWITCH#show spanning-tree vlan 2518

VLAN2518
Spanning tree enabled protocol rstp
Root ID Priority 10710
Address 6073.5c84.ec00
Cost 10000
Port 3049 (Port-channel1)
Hello Time 1 sec Max Age 6 sec Forward Delay 4 sec

Bridge ID Priority 35286 (priority 32768 sys-id-ext 2518)
Address 9077.ee1a.7e00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/7 Desg FWD 200000 128.7 P2p
Gi1/0/12 Desg FWD 200000 128.12 P2p
Gi2/0/23 Desg FWD 20000 128.119 P2p
Gi2/0/43 Desg FWD 200000 128.139 P2p Edge !! I enabled portfast on this single port so it is showing Edge typ
Gi2/0/45 Desg FWD 200000 128.141 P2p
Po1 Root FWD 10000 128.3049 P2p

MHM Cisco World · ‎02-12-2024

the Spanning tree portfast make the port in FWD status immediately not wait the STP to pass listen and learn state.
the SW without portfast STP can not learn MAC if the port not in FWD status
this explain why add portfast can make SW learn the MAC
BUT

why the Gun send only few or only one frame and if SW miss this frame it will not learn the MAC, this Q.
can I know the Gun have static IP or via DHCP?
MHM

seanxiao · ‎02-12-2024

yes the gun has static IP.

we do know the portfast will put the port into FWD status right away, and the default stp mode is spanning-tree mode rapid-pvst.

since there is also PoE process upon the gun being connected to the switch port, I was assuming that when portfast is not configured, the gun sent the ARP broadcast right away as soon as it detects PoE signal, but the switchport is not fully ready (in forwarding status) yet, after that it does not send ARP any more when the port is really in forwarding status. Which means the gun sends the ARP too early and the switch port is not fully ready. This is only my assumption, so I will test to disable the PoE feature for that port, and use the PoE adapter coming along with the gun instead.

Sorry I forgot to mention the PoE adapter before. It is a adapter for both power supply and ethernet connection. But the issue is there whether using the adapter or connecting the gun directly to the switchport (with PoE on).

brintannymoore · ‎02-12-2024

The Ethernet MAC address is typically learned by network devices, including switches, from Ethernet frames (packets) at the data link layer. The Ethernet frame header contains fields for the source and destination MAC addresses.

The EtherType field in the Ethernet frame header is used to identify the type of the payload. For IPv4 packets, the EtherType value is 0x0800. So, when a switch receives an Ethernet frame with EtherType 0x0800 (indicating an IPv4 packet), it reads the source MAC address from the frame and learns it for the corresponding port.

In summary, switches learn MAC addresses from the source MAC addresses in Ethernet frames, and the EtherType field helps distinguish different types of payloads, such as IPv4 packets (0x0800).

seanxiao · ‎02-12-2024

Thanks for the reply.

I would say this is a interesting topic, at least for me. Can a layer 2 switch understand IP packet? or if switch can learn MAC or flood IP and MAC mapping info by broadcasting IP/UDP packet, why ARP is invented.