cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6019
Views
15
Helpful
12
Replies

Technical difference between Unknown Unicast and Broadcast CCNP

Hi,

I have been struggling with this question. This is the information I have so far:

The scenario:

PC1 -> 192.168.1.20  255.255.255.0

PC2 -> 192.168.1.25  255.255.255.0

SW1 ->  No MAC addresses learned  (new)


Case 1:

PC1 has the MAC address of PC2 recorded in the ARP table. So the ping has the L2DA (Destination Address) as 22:22:22:22:22:22 and the L3DA (IP Destination Address) as 192.168.1.25

As soon as the packet arrives to the Switch. What does the switch do?

a) Removes the L2 ethernet header from PC1 and builds up a new one with L2DA as: FF:FF:FF:FF:FF:FF, and sends the packet to every port but the port from which the packet was received?

b) Floods the packet (exactly as it arrived from PC1) to every port but the port from which the packet was received?   (It understand this because this link says: "When there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the (unicast) frame will be sent to all forwarding ports within the respective VLAN, which causes flooding."

It says the same UNICAST frame will be sent, so there is no FF:FF:FF:FF:FF:FF frame at this point. Am I right?

Case 2:

PC1 does not have the PC2's MAC Address in the ARP table. So an ARP will be sent out and it should be build like:

a) L2DA: FF:FF:FF:FF:FF:FF and L3DA: 192.168.1.25     ?

b) L2DA: FF:FF:FF:FF:FF:FF and L3DA: 192.168.1.255  (broadcast L3)     ?

Ok, at this point, the switch receives the ARP packet and (I guess) it makes the normal routine. Since the frame DOES have the FF:FF:FF:FF:FF:FF as a destination address, will the switch send it to every port? included the port from which the frame was received?

Now the big question, which one is the Unknown Unicast and which one the Broadcast?

I am pursuing the CCNP certification and I know this should be clear by now, I hope someone can clarify this.

Regards

Miguel

2 Accepted Solutions

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

Assuming case 1 is in the same subnet - the switch does not remove the layer 2 header or change it in anyway.

If the switch does not have the destination MAC address in its TCAM then it will flood the packet out every port in the same VLAN (except for the port it was received on).

In case 2 - this is a normal broadcast packet, so yes, the switch will flood it out every port except the port it was received on in the same VLAN.

View solution in original post

Yes, one ARP packet from PC1 will reach all other PC's on the subnet as it is broadcasted to 192.168.1.255. On reception of this packet, every node(machines) will process (Open the packet and check if it is intended for it). Once it realizes that that this is an ARP packet looking to resolve PC2's address, all other machines will drop the packet except PC2. Only PC2 will send an ARP reply back to PC1 which is unicast only to PC1.

I think you are getting confused with the IP destination address of the packet here.

I guess below breakdown makes it more easy for you.

ARP reply packet structure.

Data Link Layer

====

Source mac -- PC1's mac

Destination Mac -- FF:FF:FF:FF:FF:FF

IP Layer

======

Source IP -  Pc1's Ip address

Destination IP - 192.168.1.255

And the data field of this packet will contain the ARP packet inside which specifically mentions PC2's ip address. 

So once it reaches other machines in the subnet, they can understand if it is intended for it or not.

*** Hope this clarifies and please rate all posts if you find it useful ****

Madhu

View solution in original post

12 Replies 12

Philip D'Ath
VIP Alumni
VIP Alumni

Assuming case 1 is in the same subnet - the switch does not remove the layer 2 header or change it in anyway.

If the switch does not have the destination MAC address in its TCAM then it will flood the packet out every port in the same VLAN (except for the port it was received on).

In case 2 - this is a normal broadcast packet, so yes, the switch will flood it out every port except the port it was received on in the same VLAN.

Brothers.

THIS IS EXACTLY WHAT I WAS LOOKING FOR.

So in this situation what ive learned is:

Case 1

LAYER 2 HEADER:

SRC MAC

DST MAC (learned from ARP Cache on client side)

LAYER 3 HEADER:

SRC IP

DST IP

A Unicast frame gets to the switch and the switch (not the interface) see's the DST MAC and says "daymmmm, I don't have the MAC address in my table. I need to turn set the FLOOD BIT ON but before I do, let me take update my CAM table with the MAC of the device that just woke me up.

QUESTION


I did not know anything about a flood bit or it being a unicast until I read the above. Where does the flood bit get set to ON? In the frame/packet or somewhere else?

CASE B:

LAYER 2 Header

SRC MAC

DST MAC - FFFFFFFFFF

LAYER 3 HEADER

SRC IP 

DST IP - BROADCAST ADDRESS

LAYER 3 DATA - ARP PACKET/REQUEST

SRC MAC

DST MAC 000000000000

SRC IP 

DST IP

So at this point it is broadcast to all devices in same subnet/vlan except the port it came in on. When PC2 receives the frame, it looks at the frame and see's the DST MAC is FFFFFFFF.

Questions:

Does the endpoint device strip off the LAYER 2 Frame at this point?

Does the PC then read the LAYER 3 info and says this is destined for my subnet as it will see the broadcast address. It therefore checks off the data inside? I am guessing this Data or is the correct name payload (arp request) is within the Layer 3 packet?

Does the PC then see the ARP packet/request and see's that it saying "Yo are you IP X.X.X.X. If so, you need to tell me your MAC".

I am saying PC/Endpoint device is doing all this and NOT the interface on the switch the packet is sent out of?

I appreciate it if you can answer all that. 

Cheers

case 1: Flooding occurs within the switch.  The frame is not changed in anyway.

case 2: The endpoint will strip off bits of the packets as it moves up the stack.  Initially the layer 2 frame is removed, and then further up the stack the layer 3 frame will be removed, and the data from the packet will be given to the application.

Jon Marshall
Hall of Fame
Hall of Fame

Edited

Hello Miguel,

For case 1.

Answer is B. The switch does not change the mac, however its sets  a flood bit ON and sends it out to all ports except the port it received.

For case 2.

Answer is B. And as you said, it makes the normal routine after that.

Now the big question, which one is the Unknown Unicast and which one the Broadcast?

  ** The answer is Case 1 B. 

Hope this clears your question and rate this post if you find it useful.

Thanks

Madhu

Now the big question, which one is the Unknown Unicast and which one the Broadcast?

  ** The answer is Case 1 B is unicast flooding and Case 2 B is broadcast

Thanks,
Madhu

Great, I get this now. 

About the Case 2, does the PC1 really sets the Destination IP Address as a broadcast as well? (192.168.1.255). 

If this is true, then just with one ARP packet sent from PC1 to PC2 every other computer in the same network (assuming there are more) will reply as well with their MAC address, right?

I think of this because 192.168.1.255 is a L3 packet that will be processed by everyone. 

Thanks,

Miguel

Hello,

Honestly I think is just a little bit more complicated than that. There is no IP packet or something like an IP packet perse.

The ARP header *Request* gets added targeting the exact IP host address of the destination, not a broadcast address or something like that.

I hope I am not creating any confusion here.

Regards.

JC

Yes, one ARP packet from PC1 will reach all other PC's on the subnet as it is broadcasted to 192.168.1.255. On reception of this packet, every node(machines) will process (Open the packet and check if it is intended for it). Once it realizes that that this is an ARP packet looking to resolve PC2's address, all other machines will drop the packet except PC2. Only PC2 will send an ARP reply back to PC1 which is unicast only to PC1.

I think you are getting confused with the IP destination address of the packet here.

I guess below breakdown makes it more easy for you.

ARP reply packet structure.

Data Link Layer

====

Source mac -- PC1's mac

Destination Mac -- FF:FF:FF:FF:FF:FF

IP Layer

======

Source IP -  Pc1's Ip address

Destination IP - 192.168.1.255

And the data field of this packet will contain the ARP packet inside which specifically mentions PC2's ip address. 

So once it reaches other machines in the subnet, they can understand if it is intended for it or not.

*** Hope this clarifies and please rate all posts if you find it useful ****

Madhu

ARP request is never sent to Broadcast IP, but to the exact destination IP and only the dstMAC is set to broadcast - all FF

This is also visible in Wireshark capture:

ARP request:

SRC IP: 10.133.0.79
SRC MAC: 9c:4e:36:d5:0d:d4
DST IP: 10.133.0.1
DST MAC: ff:ff:ff:ff:ff:ff

Capture.PNG

 

 

 

CiscoSkills
Level 1
Level 1

First of all, the frame forwarding is layer 2. Therefore, it only happens within the same VLAN. There is no IP packet involved. In another word, the switch (if it is layer 3 switch) does not check the IP address.

 

Case 1: The sending host knows the destination MAC address. 

1. The sending host constructs an unicast frame and forwards it to the switch.

2. When the frame gets to the switch, the switch reads the destination MAC address

3. The switch searches the destination MAC address in its MAC address table but not found --> To the switch, the frame is unknown unicast frame.

4. The switch forwards the unknown unicast frame constructed by the sending host in step 1 to all of the active ports in the same VLAN except the port that the frame comes from.

5. The destination host will process the frame since it sees its MAC address as the destination MAC address in the frame. 

 

Detail: https://www.youtube.com/watch?v=paKw3cIk2eU&t=8s

 

Case 2: The sending host does not know the destination MAC address. 

1. The sending host constructs an ARP broadcast frame and forwards it to the switch.

2. When the frame gets to the switch, the switch reads the destination MAC address and see it is a broadcast frame.

4. The switch forwards the broadcast frame constructed by the sending host in step 1 to all of the active ports in the same VLAN except the port that the frame comes from.

5. The destination host will process the frame after it see its IP address in the ARP request message encapsulated inside the Ethernet frame.

6. The destination host will response with the  ARP reply message containing its MAC address.

Detail: https://www.youtube.com/watch?v=aHDXRSUZOi0

Pass your Cisco CCNA and CCNP with real practical knowledge!
Pass your Cisco CCNA and CCNP with real practical knowledge!
Review Cisco Networking for a $25 gift card