3

Let's say switch A has 2 switches connected at port 2 & port 4. There are total 8 port. With time it knows the MAC address of other devices connected to it. Now, device on port 1 wants to send a data frame to a MAC address unknown to switch A.

Will the switch A do flooding always or it will optimize by forwarding to only port 2 & port 8, as it already knows that devices connected on other port do not match the unknown mac address.

Improve this question
New contributor
Ankur Gautam is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • Do not make the mistake of thinking that a switch interface will only have a single MAC address connected to it. If there is a hub or switch connected to the switch interface, there could be many MAC addresses in the MAC address table that are for that switch interface, and the table is dynamic, with MAC addresses aging out or being added all the time, so there is no way to know that a MAC address is not connected to any switch interface (except the one on which the frame arrived).
    – Ron Maupin
    Commented 22 hours ago

3 Answers 3

Reset to default
3

There's no way for a switch to know what is connected where, apart from the source MAC addresses it sees. A port with a single MAC could mean a single host, but also a switch with just one host and another one about to be attached. So no, it won't 'optimize' and will always flood unknown destination MACs to all ports.

A more advanced switch might have methods to know more about connected devices (xSTP, LLDP, CDP, ...), but even then it won't make any assumptions for flooding unknown MACs.

Improve this answer
5
  • Aren't there switches with "security" features that will only accept a single MAC on ports configured for this (ports designated as end-user ports, basically)? Not sure it would affect forwarding unknown MACs to those ports, though.
    – jcaron
    Commented 5 hours ago
  • @jcaron Sure, but that's a whole different story (about ingress, not egress).
    – Zac67
    Commented 5 hours ago
  • 1
    Not quite related to the single-MAC ingress filtering feature I was thinking of, but some switches can be configured not to flood on selected ports: documentation.extremenetworks.com/switchengine_commands_32.3/… Cisco switches also have switchport block unicast|multicast cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/…
    – jcaron
    Commented 5 hours ago
  • @jcaron I think the original question was more about a switch optimizing such traffic by some inherent logic and not by explicit configuration.
    – Zac67
    Commented 4 hours ago
  • Even if there's no second switch, the device connected to the port might be a server running multiple VMs with distinct MAC addresses. Authentication systems on the switch can also affect flooding if they move authenticated ports to another VLAN. (That may mean that you can't send traffic to an unauthenticated device before it sends something itself and triggers authentication.) But yes, that falls into the bucket of all the different ways things can be configured to be.
    – ilkkachu
    Commented 2 hours ago
2

Ethernet is not a point-to-point technology. (even 'tho it no longer uses a shared media - aka. 10base-2 and 10base-5) As such, without things beyond the 802.3 specs, it's not possible to know a single port leads to only a single machine, or that a single machine will only operate with a single MAC -- virtualization means any machine can instantly become a bridge.

Things like port security - 802.1x, dhcp snooping, static arp, etc. - could lead one to assume there are no unknown MAC's, but that's a dangerous assumption. One could optimize flooding where there can't be more than one MAC, but what happens when the MAC on that port changes? You're assuming there will be an event to clear the learned MAC - port flap, logout, gratuitous arp, etc.

(For the record, I wish CMTS vendors would make this a hard-to-disable default. Modems register with the network, and every client (CPE) uses DHCP to get an address. The CMTS knows everything connected to it, so ARP is unnecessary.)

Improve this answer
2

As others have explained, a standard switch will flood all ports, as it has no way to be sure that there is only a single MAC behind a given port.

However some switches allow you to configure ports not to flood certain types of packets, for instance:

Note that these commands should be used with care, as they could lead to communication issues.

For instance, if the device connected to the port does not "talk" much, after a while its entry in the MAC forwarding table will expire, and traffic for that MAC will not be flooded to that port (even though it normally should), so there won't be any replies to learn the MAC again, ARP will break, etc. Things will start working again only when the device transmits a frame which will allow the switch to "learn" its MAC again.

There are also many other possible issues depending what you block and on what ports, so this needs to be manipulated with care.

Improve this answer
1
  • 2
    Beware - updating all remote switches requires a broadcast, so blocking unknown unicast flooding (or even broadcasts) requires a very thorough understanding of the network at hand and its mechanisms.
    – Zac67
    Commented 3 hours ago

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.