Ieee 802.1 mac address learning

Port-Based and User-Based Access Control (X)

A single LAN, in principle, originally supported multiple stations PC's, printers, servers communicating directly between each other. But in practice now we usually have only end station on a dedicated LAN, together with its switch port. We also have a LAN connecting two ports on separate switches. This is the accurate definition, although we commonly use the term differently.

A common question seems to be: "what is the difference between a bridge and a switch? The answer is sometimes given that, while bridge is the technical term, vendors call them switches for marketing purposes. This is not exactly correct. This is a tautology, so not much help.

However, the main function of a bridge is to relay or filter frames between two ports. So we could say that the best description of a bridge is a network component that relays or filters frames, among other related functions. But relay between what? Clause 8. So a bridge is the connecting function between two ports. The term "switch" does not occur in A Layer 2 switch is simply a vendor implementation of multiple bridged ports.

If you have a PC attached to a port on an access switch, and a server attached to a port on a core switch in the datacentre, then:. As there is normally only one end station and one switch port on a LAN, what does that mean? This is a strange definition. But there is no entity defined as the set of all such access points. Instead it is a subset of ports in a Virtual Bridged Network. This is the way we use the term, but it is not the literal meaning of Virtual LAN. The principal element of Bridge operation is to relay or filter not relay frames.

The basic architecture of IEEE networks is a distributed one. There is no overall controller. No configuration of a bridge is required to enable it to operate on the network. The bridge is transparent to the end stations. A bridge operates successfully without configuration because it follows a set of protocols that are automatically compatible with other bridges doing the same. So how does a switch know where to send the frame? There is no route, or addressing scheme, to use. It is not really an address! It is like having a unique social security number, but no address.

When an end station transmits a frame, it includes in the frame the source MAC address its own and the destination MAC address which it discovered by another process. It has no idea of where the destination is, or how to reach it. It simply drops the frame onto the LAN. A bridge port attached to the LAN listens to all the frames. When a station transmits a frame to another station on the same LAN, the bridge port does nothing except to record the source addresses.

When a station transmits a frame to a station that is not on the same LAN, then the bridge port will relay the frame. The bridge looks for the destination MAC address in the FDB, sees which port it is associated with, and relays the frame to that port. The port then drops the frame onto the LAN attached to that port. The destination device recognises its own MAC address in the frame, and receive it. The ageing out of Dynamic Filtering Entries ensures that end stations that have been moved to a different part of the network will not be permanently prevented from receiving frames.

It also takes account of changes in the active topology of the network that can cause end stations to appear to move from the point of view of the Bridge; i. Since a MAC address, and its association with a port, is only known in the FDB when that station has transmitted a frame, we need a mechanism for finding a station when it has not yet transmitted. This is done by flooding the frame to every port, except the port the frame came from.

Flooding is not a specific operation of a bridge.

How IEEE 802.1X (dot1x) Port Based Authentication works

The terms "flood" or "flooding" are used to describe the result of not filtering. When the frame eventually reaches the end station with the destination address of the frame, it recognises the address and responds. When it responds, its address is captured by the bridge port to which it is attached, and stored in the FDB. If one of the bridge ports is connected to another bridge port for example connecting two switches , then each of those bridge ports will see all the traffic coming from the other. We all know that it is undesirable to have an open loop in a local area network.

It is not easy to describe exactly why it is undesirable. The term "broadcast storm" is sometimes used, but that is not an accurate description of the problem. In fact, the standard does not define the problem, although it spends a great deal of time solving it. The operation of Bridges introduces a negligible rate of duplication of user data frames. The potential for frame duplication in a bridged network arises through the possibility of the following:.

Frame duplication would happen if a frame were sent out from one port, and relayed back to another port. In this case, the frame would again be sent out. Every port is configured with a port cost—most switches are capable of autoassigning costs based on link speed. A port's cost is inversely proportional to its bandwidth. The root sends BPDUs with the path cost equal to 0, and the cost keeps increasing as the network diameter increases.

How does a switch learn MAC Addresses

When two BPDUs are received on a switch because of redundant links in the network, the one with the higher cost is logically disabled—it is put in blocked mode. The bridge that is responsible for forwarding packets on a given segment is called the designated bridge. After a while, ranging from less than a second to just under a minute depending on the STP flavor, the network converges and a single-rooted loop-free tree is built. Before a port transitions to forwarding, it goes through several states:.

Although this chapter paints a detailed portrait of STP's inner workings, we recommend that you look at the reference material available online 2 if you are interested in a more detailed overview. After the network converges, STP network-wide timers maintain its stability.


A network can be a VLAN. Time between each BPDU that is sent on a port. By default, this time is equal to 2 sec, but you can tune the time to be between 1 and 10 sec. Forward delay. Time spent in the listening and learning state. By default, this time is equal to 15 sec, but you can tune the time to be between 4 and 30 sec. Max age. Controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. By default, this time is 20 sec, but you can tune the time to be between 6 and 40 sec.

Each configuration BPDU contains these three parameters. In addition, each BPDU configuration contains another time-related parameter, known as the message age. The message age is not a fixed value.

The message age contains the length of time that has passed since the root bridge initially originated the BPDU. The root bridge sends all its BPDUs with a message age value of 0, and all subsequent switches add 1 to this value. Effectively, this value contains the information on how far you are from the root bridge when you receive a BPDU. In For example, the root bridge is not sure that everyone acknowledges its presence—the protocol contains no provision to ensure this.

The protocol simply relies on the timers as just explained to assume BPDUs are properly delivered to every bridge in the network. Table represents an In a converged network, the root bridge sends a BPDU out each port every hello interval 2 sec, by default. Every BPDU contains an age field that represents how long it has been in transit.

Table of Contents

It starts from 0 at the root and increases as the BPDU makes its way through the switched network. For example, if the BPDU is 6 sec old, the clock starts counting from 6. Normally, the next BPDU is supposed to arrive 2 sec later, but because of various conditions packet loss, unreliable software, excessive CPU utilization, unidirectional links, and so on , BPDUs are known to sometimes fail to show on time. It is a lightweight BPDU whose purpose is to inform the upstream switches all the way to the root bridge that a connectivity event occurred on this switch.

Figure shows a scenario where this mechanism plays a crucial role in restoring network connectivity faster. Suppose traffic flows between PC A and PC B through switches 1, 2, 3, and 4, and all forwarding tables are correctly populated, with switch 1 pointing to switch 2 to reach B.

Now, the link between switches 2 and 3 fails. As a result, switch 4 removes the link to switch 1 from its blocked mode and puts it in forwarding.