[c-nsp] What is The Best Configuration per Interface
(CatalystSwitch 3500)?
Adrian Pirciu
adrian.pirciu at rdsnet.ro
Tue Nov 2 02:25:25 EST 2004
On Sunday 31 October 2004 07:44, Alexandra Alvarado wrote:
> Hello,
>
> I tried to set up static mac address on the Catalyst 3550 like this:
>
> mac address-table static 0007.50b7.3576 vlan 1 interface
> fastethernet 0/1
>
> but I got this error:
>
> switch1ops(config)#$mac address-table static 0007.50b7.3576 vlan 1
> interface fastethernet 0/6
> Static address : 0007.50b7.3576 could not be added as it is already a
> secure add
> ress on Fa0/6
>
> I think becuase I have the next config on the interface fastethernet
> 0/6:
>
> switchport port-security
> switchport port-security maximum 2
> switchport port-security violation restrict
> switchport port-security mac-address 0007.50b7.3576
> switchport port-security mac-address 0040.f446.147b
>
> Then, to verify that the error message was for the port-security
> comands I executed on the interface:
>
> no switchport port-security mac-address 0007.50b7.3576
> no switchport port-security mac-address 0040.f446.147b
> shutdown
>
> Then, I configure de mac address in static way like this:
>
> mac address-table static 0007.50b7.3576 vlan 1 interface
> fastethernet 0/6
>
> And it works:
>
> switch1ops#show mac-address-table interface fastEthernet 0/6
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> 1 0007.50b7.3576 STATIC Fa0/6
> 1 0040.f446.147b STATIC Fa0/6
> Total Mac Addresses for this criterion: 2
> switch1ops#
>
> But, when I recovered de port-security config on the interface:
>
> switchport port-security mac-address 0007.50b7.3576
> switchport port-security mac-address 0040.f446.147b
>
> I lost the static state and returned the dynamic state for that mac
> addresses:
>
> switch1ops#show mac-address-table interface fastEthernet 0/6
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> 1 0007.50b7.3576 DYNAMIC Fa0/6
> 1 0040.f446.147b DYNAMIC Fa0/6
> Total Mac Addresses for this criterion: 2
> switch1ops#
I think that the macs added though port-security are not static mac
addresses (they do not appear as such in the mac address table). A
static mac is added on a port, to make the traffic for the specific mac
be forwarded out that port. The addresses added through port-security
do not change the way the switch forwards packets to the port (in the
sense that if one of the 2 hosts are not "active", the mac would not
appear on the mac address table, like it was not learned in the first
place). There are of course ways to set secure mac addresses that will
be inserted in the mac address table, like static addresse (with some
differences of course).
Just my 2 cents..
(p.s. check out below for switchport block unicast)
>
>
> WHY??????????
>
>
> Thanks,
>
> Alexandra Alvarado
>
> ----- Original Message -----
> From: "Andrew Metcalf" <andrew.metcalf at natnet.com>
> To: "'Alexandra Alvarado'" <aaaa at telconet.net>
> Sent: Saturday, October 30, 2004 1:47 PM
> Subject: RE: [c-nsp] What is The Best Configuration per Interface
> (CatalystSwitch 3500)?
>
> > Alexandra,
> >
> > I have not used the switchport block unicast/multicast command
> > before, but
>
> I
>
> > would think that it would break connections where you do not have
>
> statically
>
> > defined entries in the switch's CAM because there would be no way
> > of the normal port flooding method to work for creating a dynamic
> > CAM entry for a MAC/Port. Further, if the MAC entry for the root
> > bridge aged out of the
>
> CAM
>
> > was was not able to re-populate you could have some real issues,
> > although
>
> I
>
> > wouldn't think that would be the case here because the root is
> > hopefully
>
> on
>
> > the backbone network.
> >
> > Hope that helps somewhat, like I said, I've never used that
> > particular configuration option.
> >
> > Thanks,
> > Andrew
Normally, through a switch port, there are 3 kinds of traffic that are
forwarded (i didn't take into account the vlan separation in the
switch):
- ethernet broadcast packets (dest mac ff:ff:ff:ff:ff:ff)
- traffic for the mac addresses learned on the port
- traffic with dest. mac addresses unknown to the switch, which is
flooded to all ports but the one where the packets entered.
When one uses "switchport block unicast", the third type on the list,
the so called "unknown unicast" traffic is noe forwarded to the
specific port, so the only traffic exiting the port will be the
broadcast (ff...) or the packets that have as destination mac, one of
the mac-addresses learned on the port.
A problem arises when a host connected somehow to that port does not
send any traffic for more than $mac_address_aging_time (usually 5 min):
the mac will be erased from the mac address table, and the traffic will
not be forwarded to the port (due to the blocking of unknown unicast)
until a packet is received again and the mac is relearned. This setting
should be mostly used on port with hosts connected, not a "core" port.
On most of the cases, there will no problems, since all operating
systems (programs, daemons, servers) send packets, and one of these
packets is enough to make the mac address of the host be addded to the
table on the switch, and the probability of a "normal" host to not send
packets for 5 minutes (especially if it is Windows :) ) is very very
small.
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexandra
> > Alvarado Sent: Saturday, October 30, 2004 9:56 AM
> > To: cisco-nsp at puck.nether.net; Alexandra Alvarado
> > Subject: [c-nsp] What is The Best Configuration per Interface
> > (CatalystSwitch 3500)?
> >
> > Hello,
> >
> > We are looking for the best posible configuration to a catyalyst
> > 3550
>
> switch
>
> > per interface. Until now we have two types of configuration:
> >
> > Backbone Example
> > -----------------------------
> >
> > interface FastEthernet0/1
> > description Backbone
> > switchport trunk encapsulation dot1q
> > switchport mode trunk
> > switchport nonegotiate
> > ip access-group 135 in
> > storm-control broadcast level 5.00
> > storm-control multicast level 5.00
> > no cdp enable
> > arp timeout 1800
> > spanning-tree mst 0 cost 200
> > spanning-tree mst 1 cost 200
> > !
> >
> > Client Interface Example
> > -------------------------------------
> >
> > interface FastEthernet0/7
> > description Client
> > switchport access vlan 139
> > switchport mode access
> > switchport nonegotiate
> > ip access-group 135 in
> > storm-control broadcast level 5.00
> > storm-control multicast level 5.00
> > no cdp enable
> > arp timeout 1800
> > spanning-tree portfast trunk
> > spanning-tree bpduguard enable
> > spanning-tree guard root
> >
> > We have been trying to put two new comands on the "client
> > interface":
> >
> > switchport block unicast
> > switchport block multicast
> >
> > But clients experienced micro down times (2 minutes).
> >
> > Today was a terrible day. All network goes down for 3 hours,
> > Initially I suposse was a mstp loop but
> > it wasn't because I open the phisical loops and we still had the
> > problem. After in the MRTG web page I saw
> > a client with a high input traffic and after I saw in all switches
> > the
>
> same
>
> > traffic but in the other sens "output".
> > The problem was a hub or switch of one of my clients. How can
> > avoid that
>
> a
>
> > client problem cause that my network goes down too?.
> >
> > Can somebody recommend to me a best way to configure a switch
> > interface to avoid down times?
> >
> >
> > Thanks.
> >
> >
> > Alexandra Alvarado
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--
------------------------------------------------------------------------
Adrian Pirciu
Network Engineer
More information about the cisco-nsp
mailing list