What up dorks?

So the first topic is one I’m actually already quite strong with due to my day to day mostly being switch administration and maintenance. Hopefully the majority of topic 1.1 on the syllabus ‘switch administration’ should come quite easily to me, but let’s plough through it anyway.

So to start off, what is a MAC address? I’m guessing if you’re looking to pursue the CCIE, then you already know this, but just to be sure 😉

Wikipedia defines the media access control (MAC) address as a unique identifier assigned to a network interface controller (NIC) in a network. I personally like to think of the MAC address as the physical/hardware address of something, as opposed to an IP address which is more of a logical address.

MAC addresses are hexadecimal 48 bit addresses that are split across 6 octets. An example MAC address could be 0a:1b:2c:3d:4e:5f. As I’m sure we already know, each digit in hex make up 4 bits in binary, therefore 2 hex digits forms an octet. The MAC address is split into 2 distinct parts: the first 3 octets as show in bold, make up the organisationally unique identifier (OUI.) This is the part of the MAC address that is the same on kit from a specific manufacturer. The larger manufacturers such as Cisco have lots of different OUI’s, however its a way of identifying the manufacturer of something purely by knowing its MAC address. This can handy if you spot something on the network that you’re not sure of, you can enter the MAC address into a MAC finder website (the one I tend to use is macvendors.com) and it will inform you of the manufacturer. This can often point you in the right direction of what you’re looking for or what the device might be. The second half of the MAC address is unique to the specific device and its the manufacturers job to ensure that this half is unique.

Although its known as the MAC address table, these addresses are actually stored in something called the CAM (content addressable memory) table. It uses a special form of high speed RAM, much faster than PC RAM, to return search results lightning fast. Switches are built with a large amount of CAM.

The MAC address plays a very important role in networking. Although known as the physical address, the MAC address is often thought to be Layer 2 of the OSI stack (which is why it’s sometimes referred to as the L2 address), and they are a way of devices uniquely identifying each other on the network. There is a lot more I could go into here with regards to the differences between L1 hubs and L2 switches, as well as broadcast and collision domains with CSMA/CD, but I’m sure if you’re reading this you’re already familiar with the CCNA stuff.

When packets move across a network, they include the L2 source address, as well as the L2 destination address. In the case of the destination address, unless the packet is destined for a device on the same broadcast domain, the L2 destination address may not be the target device, but could just be the next hop of the journey to it. For example a device sending packet to the internet would not know the destination MAC address of a google search server for example, but it would know the MAC address of the default gateway that will know how to route the traffic there. Therefore that becomes its destination L2 address.

SO. What is a MAC address table and where do they exist? A MAC address table exists in anything capable of L2 switching. When a device is plugged into a L2 switch and it begins to send traffic, the switch identifies the source MAC address of the packet that it has received in this port. It therefore now knows, the physical address of the device connected to that specific port. So it makes a little note of it for later just in case anybody wants to send some traffic there. It does this to every device plugged in all its ports, until it’s knows the physical address of all its ‘tenants.’ This is what makes switches so much more efficient than hubs. Switches can send traffic directly to the destination rather than flooding it out of every port (although there are times it may still do this.)

The below is a very simple topology configured on GNS3 comprising a switch with 4 hosts connected to it, all on a single broadcast domain.

Once all the above PCs have generated some form of traffic, the switch examine the source addresses of the packets and adds them into its MAC address table as shown in the below clip:

As you can see, the MAC address table shows more than just MAC addresses and the port to which it belongs, it also shows the VLAN the port belongs to, as well as whether the MAC address was dynamically (automatically) discovered, or whether it was a static entry. (Rather annoyingly, you’ll see that Cisco IOS stores MAC addresses as 3 16 bit segments, rather than a standard 6 8 bit segments. Bear this is mind as this is how you’ll be expected to enter them too!) As the title of this topic is “managing MAC address tables” I’m pretty sure they’re going to want us to know how to statically assign a MAC address. So let’s do it:

Switch(config)#mac address-table static mac_address vlan vlan_id { drop | interface {type slot / port } port-channel number} [auto-learn]

So let’s discuss the syntax here and go through a few different examples. (Also, just to be sure you’re all aware of the help function of IOS, even if you’re the most experienced IOS engineer, its something that I use very often to determine the available options. Just hit the ? after the beginning of a command.)

Switch(config)#mac address-table static 0a1b.2c3d.4e5f vlan 1 interface Gi 2/1 – this command statically assigns mac address 0a:1b:2c:3d:4e:5f to gigabit ethernet port 2/1 in VLAN 1. Other options available via the help command are adding the static entry as a port-channel (etherchannel) rather than an individual port, the keyword DROP to drop all traffic received from and destined to the configured MAC address, and the keyword AUTO-LEARN which allows the switch to automatically update the MAC address should it be seen on a different port.

So why if the switch automatically learns the MAC addresses would we ever want to manually add one? The short answer and probably most relevant today would be SECURITY. It is very easy nowadays with the correct tools to flood the MAC address table of a switch with false dynamic entries in whats called an ARP spoofing/poisoning attack. This allows an attacker to overflow the MAC address table so that it can inject entries into it that forward traffic to malicious parties.

Now we’ve discussed adding static entries and the switch dynamically learning addresses, let’s discuss the remaining commands associated with managing the MAC address table. So once a switch dynamically learns an address, how long does that address stay in the table if the device is no longer plugged in/stops sending traffic? The default time is 300 seconds (5 minutes) until that entry is purged from the table. This can be changed by using the aging-time command within the range of 0-10000 seconds. If the aging time is set to 0, then the entry never purges. This command can be run on a global basis, or on a per VLAN basis. The MAC addresses can also be manually cleared using the clear mac address-table address | interface | vlan command.

The final thing to consider is searching the MAC address table for a specific entry. These can be searched based on several different parameters, but the most common being by MAC address, by interface, or by VLAN.

That was the first SMALL topic of this syllabus, and we’ve skipped over a lot of the basics. This is going to be a loooong journey.

Jack x