Switch Port number and MAC Adx. Association

David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
After executing the:

SWITCH-A#show mac-address-table

command,, the screen output will show a table with the full MAC Adx. and, on the same line,, the Switch port on which the MAC address came in on from an attached/previously attached device. ~OK

Now.......

If you wanted to see all MAC Addresses and their associated Port i.d.'s you would simply execute the "show mac-address-table" command.

But "what if" the Ports where listed,, but the MAC addresses next to them were missing ?

Does that mean they have "max_aged" out ?

Or...........

Does that mean the particular ports in the MAC address table are actually associated with a "Secure-Port" configuration and you should also execute the:

SWITCH-A#show port-security address

(secure) mac-address-table command to get the same info. for the secure configured ports and add that to the previous (non-secure) MAC Address // Port table list ?

........OR

If the current MAC // Port associations have been 'dropped' because of a max_timeout of the port without activity (20 seconds)

what command could you enter which would "flood" *ALL* SWITCH-A Ports and perhaps refresh the MAC table with current MAC----Port associations ?

How could you manually refresh the entire MAC-Address-Table output to show the CURRENT Port // MAC adx. associations without having access to the actual device which is connected to each port ?

This is a practical scenario I came accross in the lab,, but the Switch I was using did not support the:

SWITCH-A #show port-security address

command. (1924//non-enterprise IOS)

I would appreciate it if someone with access to a 2950 (lucky guy/gal) could set this up and try it out.

Thanx, DvD

DvD

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    How could you manually refresh the entire MAC-Address-Table output to show the CURRENT Port // MAC adx. associations without having access to the actual device which is connected to each port ?
    Well -- you could ping the subnet broadcast address and compare the arp table to the mac address table.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    The arp table would show which port would be associated with which switchport MAC Adx. ?
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    The arp table would show which port would be associated with which switchport MAC Adx. ?
    No, that's why you compare it to the mac address table -- to get the ports.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    but................

    That is the problem,, when I execute the #show-mac-address-table command,, the switchports are there, but *some* of the MAC addresses to the left are blank for some of the ports. Not sure why.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    but................

    That is the problem,, when I execute the #show-mac-address-table command,, the switchports are there, but *some* of the MAC addresses to the left are blank for some of the ports. Not sure why.

    forgetting security..... and looking at just normal switch operation.... if there has been no traffic to/from the port, the entry will eventually age out.

    Hum... but the ping to the broadcast should cause any nic in normal operating mode to get refreshed.....

    We should just outsource this to someone with a switch handy....
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    I previously said: "" This is a practical scenario I came accross in the lab,, but the Switch I was using did not support the:

    SWITCH-A #show port-security address

    command. (1924//non-enterprise IOS)

    I would appreciate it if someone with access to a 2950 (lucky guy/gal) could set this up and try it out. """


    I agree, it's really weird........
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    I know this sounds like a rather fundamental ques.. but how long is the defualt max_age timeout. (20 seconds ?) for non-active Switch Ports which still have a workstation attached ?

    Is there a way to increase the max_age timer w/o making it a permanent MAC configured port ?
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    SWITCH-A #show port-security address
    the show port-security address just shows which mac can or have (if dynamic) been attached to the port.... and there can be multiple macs per port....

    The mac address table shows who's been active recently.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    I know this sounds like a rather fundamental ques.. but how long is the defualt max_age timeout. (20 seconds ?) for non-active Switch Ports which still have a workstation attached ?

    Is there a way to increase the max_age timer w/o making it a permanent MAC configured port ?
    there is the 20 second max age is for spanning tree..... but there are no BPDUs comping or going on the host port... so there is nothing to time out

    but for hosts attached.... are you talking about the amount of time the mac will stay in the switch CAM?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    I like your "Ping w/ Switch B'cast Adx. idea",, will try when I get into a lab set-up,, but only have 1900's to work with. icon_sad.gif
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    but only have 1900's to work with. icon_sad.gif

    What did you have to work with in the old 507 days - tin cans and string? icon_lol.gif

    I should get back to studying for my written exam...
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    but...........

    Since the #show port-security address

    command shows "secure port addresses",, would they *also* be listed from the "regular"

    #show mac-address-table

    command ?
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    but...........

    Since the #show port-security address

    command shows "secure port addresses",, would they *also* be listed from the "regular"

    #show mac-address-table

    command ?

    I can plug 20 machines into a port (if using security and dynamic and allowing 20 differen mac address to be stored)..... and they will show up with show port-security.... but only one active mac will show up with the show mac-address-table.

    ... or the most recently active, if it hasn't timed out of the switch cam.

    Hum, if the link hasn't been lost, the mac could stay in cam..... if the link is lost, the switch could immediately update the cam..... can't remember if thats something I've forgotten... or something that might be, but we don't care about....
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    ha ha,, funny, "I just a Po' folk" I guess.......... icon_cool.gif

    Yes, I had 1900's then as well, but switching wasn't nearly covered or hammered to the depth that the -801 now requires. VLANS were hardly mentioned *then*,, now they are foundational and fundamental (as they should be)
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    David_HX wrote:
    VLANS were hardly mentioned *then*,, now they are foundational and fundamental (as they should be)

    I think the same with NAT -- used to be CCNP stuff I think, them migrated down to CCNA.....
    :mike: Cisco Certifications -- Collect the Entire Set!
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    mikej412 wrote:
    David_HX wrote:
    but...........

    Since the #show port-security address

    command shows "secure port addresses",, would they *also* be listed from the "regular"

    #show mac-address-table

    command ?

    I can plug 20 machines into a port (if using security and dynamic and allowing 20 differen mac address to be stored)..... and they will show up with show port-security.... but only one active mac will show up with the show mac-address-table.

    ... or the most recently active, if it hasn't timed out of the switch cam.

    Hum, if the link hasn't been lost, the mac could stay in cam..... if the link is lost, the switch could immediately update the cam..... can't remember if thats something I've forgotten... or something that might be, but we don't care about....

    Thanx,
    This explanation helps a little. I think this info. and your previous suggestion should get me pointed in the right path. Now, back to the b@@kz.........
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    but for hosts attached.... are you talking about the amount of time the mac will stay in the switch CAM?[/quote]



    Yes, the 'timer' i'm looking to increase the duration if possible.
  • lwwarnerlwwarner Member Posts: 147 ■■■□□□□□□□
    SW1#show mac-address-table aging-time 
    Vlan    Aging Time
    ----    ----------
      20     300
       1     300
    SW1#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    SW1(config)#mac-address-table aging-time ?
      <0-0>         Enter 0 to disable aging
      <10-1000000>  Aging time in seconds
    
    --Bill
  • David_HXDavid_HX Member Posts: 37 ■■□□□□□□□□
    Excellent Bill..........

    Now I just hope this 'particular' switch IOS supports the command.

    Any ideas on how to 'stimulate' a switch to flood all Ports and attached hosts to re-populate the CAM ?

    DvD
  • lwwarnerlwwarner Member Posts: 147 ■■■□□□□□□□
    David_HX wrote:
    Now I just hope this 'particular' switch IOS supports the command.
    The switch above is running: IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
    Any ideas on how to 'stimulate' a switch to flood all Ports and attached hosts to re-populate the CAM ?
    Other than a broadcast ping as discussed above, not really. Just remember that you can only ping vlan1 from the switch.

    As far as the aging bit goes, IME when an address ages out of the mac-address-table the whole entry goes away. I also don't see any relationship to port-security, because the addresses for secure ports go into the table as static even if they were learned dynamically, so they never age and should remain in the table until you manually clear them or reload the switch.

    --Bill
Sign In or Register to comment.