ā11-06-2013 02:59 AM - edited ā03-07-2019 04:27 PM
Will all the MAC entries for a Port gets cleared once it goes down.
Example:
Assume that Fa0/1 port has 5 MAC addresses that can be reached through it. So when there is physical link failure on Fa0/1 or else i have given a shutdown command on Fa0/1. Will the entries get flushed from Fa0/1 port ?
Don't mind if it looks like a silly question !!!
Thanks in advance.
Regards,
Chandu
Solved! Go to Solution.
ā11-06-2013 03:10 AM
@Peter:
I am not sure but If you statically assign the mac address to the ports then I think it will not flush even after the shut.
Dynamic lerned mac:; Cisco switches automatically purge MAC address in their tables if that MAC address isn't contacted within a certain period of time.
Regards
ā11-06-2013 03:14 AM
Sandeep,
You are absolutely correct; static MAC entries do not expire and do not get flushed even if the port is down. I did not want to confuse things, however; static MAC address entries are rarely used.
Best regards,
Peter
ā11-06-2013 03:52 AM
Hi Chandrakanth,
A Static MAC address is one that has been manualy input (typed via a command) into the CAM or MAC address table.
A dynamic MAC address is one that has been learned via an arp request.
The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.
Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.
Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.
Regards
Hope it helps.
ā11-06-2013 03:56 AM
Chandu,
The need for static MAC addresses is rather small.
In some cases, you have a station that seldom, if ever, sends frames. In that case, it is almost certain that the switches will not learn its MAC address, and will flood the frames for that station throughout the network. If you want to prevent this, you can set up the MAC addresses statically.
In another cases, configuring a static MAC prevents it from ever being learned on a different interface. It is a way of saying "the station is either connected to this port or it is not going to receive frames at all", forcing the station to be connected to a predefined port.
Static MAC addresses can also be used as a crude form of traffic filtering - the mac address-table static command has a drop action for a MAC address, causing the traffic for it to be immediately dropped.
When using port-security, static secure MAC address are also static in the usual sense, so the port-security depends on the concept of static addresses.
But to be honest, I never needed to configure a static MAC address entry myself so far.
Best regards,
Peter
ā11-06-2013 03:59 AM
Hi Sandeep,
A dynamic MAC address is one that has been learned via an arp request.
Uh-oh, I am afraid you are doing the common mistake of confusing the ARP table with the MAC address table. Switches by definition use MAC tables, mapping connected stations to ports. ARP tables map MAC addresses to IP addresses, and they are not used in pure Layer2 switching. A dynamic MAC address is the one that has been learned simply by looking at the source MAC address of an incoming frame.
Also, we have to be careful about static MAC addresses and static secure MAC addresses. Static MAC addresses are those configured by mac address-table static command and similar to static routes in routers. There is no security connotation to them. Static secure MAC addresses are a particular feature of the Port Security, and while related to static MAC addresses (they use them internally), they are a somewhat different concept.
Best regards,
Peter
Best regards,
Peter
ā11-06-2013 03:03 AM
Hi Chandu,
As soon as a switchport goes down, all MAC addresses learned on that port are flushed. Otherwise, the switch would be trying to forward the frames out an inoperable port, causing them to get lost.
Best regards,
Peter
ā11-06-2013 03:10 AM
@Peter:
I am not sure but If you statically assign the mac address to the ports then I think it will not flush even after the shut.
Dynamic lerned mac:; Cisco switches automatically purge MAC address in their tables if that MAC address isn't contacted within a certain period of time.
Regards
ā11-06-2013 03:14 AM
Sandeep,
You are absolutely correct; static MAC entries do not expire and do not get flushed even if the port is down. I did not want to confuse things, however; static MAC address entries are rarely used.
Best regards,
Peter
ā11-06-2013 03:19 AM
Thanks both for the info.
Can you please let me know the case where static MAC's are used ?
Regards,
Chandu
ā11-06-2013 03:42 AM
HI Chandrakanth,
config mode:
conf t
interface xxx
switchport port-security maximum 5
switchport port-security mac-address 4083.de08.7bb1
switchport port-security mac-address 4083.de09.0de2
switchport port-security mac-address 4083.de08.7bb3
switchport port-security mac-address 4083.de09.0de4
switchport port-security mac-address 4083.de09.0de5
this is the way to assigh the mac address to a port.
Regards
ā11-06-2013 03:44 AM
Hi Sandeep,
Thanks for the steps but i didn't understood when to assign and why ?
I just know that static entries are used for the port-security purpose for prohibiting unauthorized access. But is that the only reason or do we have any more reasons to use static macs ?
ā11-06-2013 03:52 AM
Hi Chandrakanth,
A Static MAC address is one that has been manualy input (typed via a command) into the CAM or MAC address table.
A dynamic MAC address is one that has been learned via an arp request.
The type of secure MAC address that is configured depends on the intended end result. Static secure MAC addresses are typically used when the MAC addresses used are known and do not change often. For example, if a single host is always connected to the same switchport.
Dynamic secure MAC addresses are typically used when the host(s) connecting to a specific switchport is constantly changing, and the intention is to limit the port to only be used by a specific number of hosts at once. For example, a switchport can be configured to only allow a single MAC address to be learned at a time and not permit hosts other than the one initially learned; the only way to change the host that connects to the switchport is to disable switchport security and reenable it, to delete the learned MAC address from the table directly, or to wait for the port-security aging time to expire if configured.
Sticky secure MAC addresses are a bit of a combination between the two prior secure MAC address types; not only are addresses able to be statically-configured but they can also be dynamically learned. The key difference here is that dynamically-learned addresses are automatically put into the running-configuration; if the engineer wants these addresses to be saved on device reboot, the option is available to save the running-configuration into the startup configuration, thus effectively making these addresses static.
Regards
Hope it helps.
ā11-06-2013 03:59 AM
Hi Sandeep,
A dynamic MAC address is one that has been learned via an arp request.
Uh-oh, I am afraid you are doing the common mistake of confusing the ARP table with the MAC address table. Switches by definition use MAC tables, mapping connected stations to ports. ARP tables map MAC addresses to IP addresses, and they are not used in pure Layer2 switching. A dynamic MAC address is the one that has been learned simply by looking at the source MAC address of an incoming frame.
Also, we have to be careful about static MAC addresses and static secure MAC addresses. Static MAC addresses are those configured by mac address-table static command and similar to static routes in routers. There is no security connotation to them. Static secure MAC addresses are a particular feature of the Port Security, and while related to static MAC addresses (they use them internally), they are a somewhat different concept.
Best regards,
Peter
Best regards,
Peter
ā11-06-2013 04:48 AM
Hi Peter,
Thanks for such a nice explanation.
You are right but as per my knowledge i wrote this because :
A dynamic MAC address is one that has been learned via an arp request.
They could also be learned via arp replies and also by other type of traffic......
For example if a switch learns the MAC address from another device then it has dynamically sourced the MAC address.
Say Computer A is connected to Switch-1, Switch-1 is connected to Switch-2
Now you issued command "#sh mac-address-table" in Switch-2 it will learn the Computer A mac address dynamically from Switch-1
Regards
Sandeep
ā11-06-2013 05:23 AM
Hi Sandeep,
Say Computer A is connected to Switch-1, Switch-1 is connected to Switch-2
Now you issued command "#sh mac-address-table" in Switch-2 it will learn the Computer A mac address dynamically from Switch-1
Well, Switch-2 will learn the MAC address of computer A only if a frame from computer A ever arrives to Switch-2. The Switch-2 alone has absolutely no way of asking either the computer A or Switch-1 about the MAC addresses. Mentioning ARP in the context of Layer2 switching is especially dangerous because it appears to be closely related while in reality, Layer2 switching is absolutely independent on ARP and does not use it at all. After all, IPv6 does not use ARP either, and yet Layer2 switches do not care
Best regards,
Peter
ā11-06-2013 05:30 AM
Hi Peter ,
I got your point :)
You are Right :)
+5 from my side.
Regards
Sent from Cisco Technical Support iPhone App
ā11-06-2013 03:56 AM
Chandu,
The need for static MAC addresses is rather small.
In some cases, you have a station that seldom, if ever, sends frames. In that case, it is almost certain that the switches will not learn its MAC address, and will flood the frames for that station throughout the network. If you want to prevent this, you can set up the MAC addresses statically.
In another cases, configuring a static MAC prevents it from ever being learned on a different interface. It is a way of saying "the station is either connected to this port or it is not going to receive frames at all", forcing the station to be connected to a predefined port.
Static MAC addresses can also be used as a crude form of traffic filtering - the mac address-table static command has a drop action for a MAC address, causing the traffic for it to be immediately dropped.
When using port-security, static secure MAC address are also static in the usual sense, so the port-security depends on the concept of static addresses.
But to be honest, I never needed to configure a static MAC address entry myself so far.
Best regards,
Peter
ā11-06-2013 04:31 AM
Thanks peter for the more eloborated information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide