09-21-2021 06:10 PM
Hi. While administrating a newly provisioned Catalyst 1000 switch, I needed to find the MAC address of a host on the WiFi VLAN 20. So I tried the following:
SW01#show mac address-table dynamic vlan 20 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- -----
It seemed strange that there was no output because I was connected to this VLAN. I pulled out my phone to check that it was connected, too. Next I dropped the dynamic filter and was able to find the desired MAC address:
SW01#show mac address-table vlan 20 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0180.c200.0000 STATIC CPU All 0180.c200.0001 STATIC CPU All 0180.c200.0002 STATIC CPU All 0180.c200.0003 STATIC CPU All 0180.c200.0004 STATIC CPU All 0180.c200.0005 STATIC CPU All 0180.c200.0006 STATIC CPU All 0180.c200.0007 STATIC CPU All 0180.c200.0008 STATIC CPU All 0180.c200.0009 STATIC CPU All 0180.c200.000a STATIC CPU All 0180.c200.000b STATIC CPU All 0180.c200.000c STATIC CPU All 0180.c200.000d STATIC CPU All 0180.c200.000e STATIC CPU All 0180.c200.000f STATIC CPU All 0180.c200.0010 STATIC CPU All ffff.ffff.ffff STATIC CPU 20 1cb1.7fe4.7434 STATIC Gi1/0/3 20 7440.bb7f.d88f STATIC Gi1/0/3 20 b072.bff3.0f04 STATIC Gi1/0/3 20 b89a.2aea.ecd7 STATIC Gi1/0/3 20 c8ff.7700.77ed STATIC Gi1/0/3 20 d8c4.6a91.cfde STATIC Gi1/0/3 Total Mac Addresses for this criterion: 26
Oddly all of the MAC addresses off of Gi1/0/3 are STATIC. I have not manually defined these, so I would have expected DYNAMIC. (And indeed on my non-WIFI VLANs the host MAC addresses are marked as DYNAMIC.) Why are these MAC addressed being identified as STATIC? Is this the expected behavior?
Thank you.
Solved! Go to Solution.
09-22-2021 02:01 AM
Hello,
Ah, this explains it fully, then.
Even with dynamic secure MAC addresses, they are stored in the MAC address table as static. This is by design and this behavior is expected. The reason is that the dynamic secure MAC addresses do not expire the way the usual MAC addresses do, so from the viewpoint of the MAC address table management, they are static. Dynamic secure MAC addresses are forgotten
So - no worries. What you observed is fully expected.
Best regards,
Peter
09-21-2021 11:59 PM
Hello,
odd indeed. Is that the same for wired clients ?
09-22-2021 01:49 AM
Hi Georg,
The wired clients in other VLANs all show dynamic MAC addresses.
But as Peter indicated, it is probably due to "port-security maximum 30" on this interface.
(No using sticky MAC learning though.)
I have not yet implemented this for the other interfaces.
Thanks.
09-21-2021 11:59 PM
Hello,
By any chance, did you activate port security on Gi1/0/3? All secure MAC addresses learned through port security (whether dynamic secure, static secure or sticky secure) will be marked as static in the MAC address table output unless you have also configured their aging.
If you haven't configured port security on Gi1/0/3, would you be so kind to share its configuration here? Maybe there is another feature there that causes the MAC addresses to be stored as static.
Best regards,
Peter
09-22-2021 01:45 AM
Hi Peter.
I do have port security enabled to limit the number of MAC addresses learned on the Gi1/0/3.
interface GigabitEthernet1/0/3 description wifi access point switchport access vlan 20 switchport mode access switchport port-security maximum 30 switchport port-security violation restrict switchport port-security end
Not an absolute maximum, but I want to know if / when it exceeds that number so that I can confirm if it appropriate and make appropriate changes.
I had avoided manual MAC entry and sticky MACs, so I thought that the switch would consider incoming MACs as dynamic. I am not a downtime window to shutdown the port and remove the maximum at this time but will test it at a later time.
I had not yet implemented it on other ports so only noticed it on this interface.
Thank you.
09-22-2021 02:01 AM
Hello,
Ah, this explains it fully, then.
Even with dynamic secure MAC addresses, they are stored in the MAC address table as static. This is by design and this behavior is expected. The reason is that the dynamic secure MAC addresses do not expire the way the usual MAC addresses do, so from the viewpoint of the MAC address table management, they are static. Dynamic secure MAC addresses are forgotten
So - no worries. What you observed is fully expected.
Best regards,
Peter
09-22-2021 02:36 AM
Thank you Peter for the explanation.
Apparently my understanding was incomplete.
Much appreciated.
09-22-2021 06:13 AM
Hello,
You are very welcome. I knew about this "surprise" because I was caught off guard by it myself when I first discovered the behavior years ago. Then again, it makes sense. A dynamic secure MAC address is dynamic only to the Port Security mechanism itself, but to the MAC address table, it needs to behave as a static one that does not expire and does not move to another port because that's the whole point of a secure MAC.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide