Does each and every interface in a manged switch has it's own MAC address?
Hello Experts.
I came across a difficult situation today.
We integrated Aruba ClearPass (A NAC solution) for one of our clients who uses Juniper Switches.
Everything worked perfectly until suddenly the client called in Panic saying that an entire floor (in networking terms, a virtual chassis consisting of 3 switches) was down - no DHCP no nothing!
Immediately I thought well the ClearPass can't cause that, it only determines weather or not a computer should be allowed into the network and if so into which vLAN.
when I ran the Spanning Tree info I saw two ports that were flopping between forwarding and blocking, asking the client to investigate it became apparent someone, accidentally connected ge-1/0/15 with ge-2/0/41.
obviously as soon we broke the loop the network immediately started working normally again.
That got me thinking however.
Since one switch was trying to access another switch, the "recieving" switch would have to check with radius if that "device" should be allowed into the network, and since we never entered any of the switches, the NAC should've blocked it.
So I ran the "show chassis mac-address" command
And searched the NAC DB for that address but came up empty.
Which brings me to my question.
In a Juniper EX switch, does each and every physical interface has it's own MAC address? If so, how can I find the MAC address of a specific interface?
I came across a difficult situation today.
We integrated Aruba ClearPass (A NAC solution) for one of our clients who uses Juniper Switches.
Everything worked perfectly until suddenly the client called in Panic saying that an entire floor (in networking terms, a virtual chassis consisting of 3 switches) was down - no DHCP no nothing!
Immediately I thought well the ClearPass can't cause that, it only determines weather or not a computer should be allowed into the network and if so into which vLAN.
when I ran the Spanning Tree info I saw two ports that were flopping between forwarding and blocking, asking the client to investigate it became apparent someone, accidentally connected ge-1/0/15 with ge-2/0/41.
obviously as soon we broke the loop the network immediately started working normally again.
That got me thinking however.
Since one switch was trying to access another switch, the "recieving" switch would have to check with radius if that "device" should be allowed into the network, and since we never entered any of the switches, the NAC should've blocked it.
So I ran the "show chassis mac-address" command
And searched the NAC DB for that address but came up empty.
Which brings me to my question.
In a Juniper EX switch, does each and every physical interface has it's own MAC address? If so, how can I find the MAC address of a specific interface?
Yes. Every interface has it's own MAC address. For example you could check MAC addresses by issuing:
show interfaces | match "ge-|xe-|Hardware"
show interfaces | match "ge-|xe-|Hardware"
Each connected switch port has associated MAC addresses of the devices that are connected to it.
Level 2 vs. Level 3 may matter.
Level 2 vs. Level 3 may matter.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try command, I was not close. It is a filtered command it will show all interfaces (ge and Xe) and MAC addresses assigned to interfaces (and some other too).
;)
Try it
;)
Try it
I guess my response was incorrect. Sorry about that!
@Fred your answer was partly correct.
Each interface CAN (depends on make of the switch) have its own mac address, but it is transparent when used in switch mode.
The MAC address is needed when interfaces are used as a router port.
Each interface CAN (depends on make of the switch) have its own mac address, but it is transparent when used in switch mode.
The MAC address is needed when interfaces are used as a router port.
MAC address on switch port is needed in every mode of operations. For example BPDU, CDP, LLDP and some other frames - are sent with source MAC address of egress port.
Layer 2 vs. Layer 3 ?? Any difference. My experience is all using switches at Layer 2.
General L2 vs L3 operation difference is:
- L2 is doing transparent switching (do not modify frames, but still QoS may do it)
- L3 rewrites L2 header of packet on per hop basis
For some functionalities MAC address on switch port is needed even if switch operates in L2. In previous post I was mentioning some frames forwarded/created by switch while switch operates at L2 and those frames have source MAC address of egress interface. Even if switch is function as L2, some functionalities require that MAC address of egress interface is used for frame creation (so MAC address need to be present on each interface).
- L2 is doing transparent switching (do not modify frames, but still QoS may do it)
- L3 rewrites L2 header of packet on per hop basis
For some functionalities MAC address on switch port is needed even if switch operates in L2. In previous post I was mentioning some frames forwarded/created by switch while switch operates at L2 and those frames have source MAC address of egress interface. Even if switch is function as L2, some functionalities require that MAC address of egress interface is used for frame creation (so MAC address need to be present on each interface).
My switch seems to use the SAME MAC address on all ports.... (there is no need on this L2 switch).
one system reprorts this: Procurve_d9:fe:62 and another system this: Procurve_d9:fe:62 and on a different (VLAN) interface this: Procurve_d9:fe:62
on another system: Procurve_d9:fe:62 all on LLDP
The first 2 systems share a VLAN, the last system is completely separate.
(The chassic number is almost the same: b4:39:d6:d9:fe:60)
This still fits with my experience. Not all switches do have MAC addresses for each ethernet port. They do have at least one MAC address to be manageable... (or one for each VLAN port they support connections on).
It might need one / bridge for BDPU's
one system reprorts this: Procurve_d9:fe:62 and another system this: Procurve_d9:fe:62 and on a different (VLAN) interface this: Procurve_d9:fe:62
on another system: Procurve_d9:fe:62 all on LLDP
The first 2 systems share a VLAN, the last system is completely separate.
(The chassic number is almost the same: b4:39:d6:d9:fe:60)
This still fits with my experience. Not all switches do have MAC addresses for each ethernet port. They do have at least one MAC address to be manageable... (or one for each VLAN port they support connections on).
It might need one / bridge for BDPU's
We might clarify that "egress interface" means on the switch or on the source device .. every time.
When I read "egress interface", I find I'm assuming the switch egress port but also realize that my assumption could be wrong.
And, I believe, in some cases, probably is wrong.....
When I read "egress interface", I find I'm assuming the switch egress port but also realize that my assumption could be wrong.
And, I believe, in some cases, probably is wrong.....
Egress interface/port - traffic flow from switch in direction of neighboring device.
I checked multiple network Cisco and Juniper switches (2960s, 2960x, 3750-x, nexus 3k, C892, EX3x00, SRX210) each device physical interface has it's own mac address.
Example (C892):
I checked multiple network Cisco and Juniper switches (2960s, 2960x, 3750-x, nexus 3k, C892, EX3x00, SRX210) each device physical interface has it's own mac address.
Example (C892):
sh interface | i bia|Fa|Vlan|Gi
FastEthernet0 is up, line protocol is up
Hardware is Fast Ethernet, address is 649e.f3d4.01fc (bia 649e.f3d4.01fc)
FastEthernet1 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.01fd (bia 649e.f3d4.01fd)
FastEthernet2 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.01fe (bia 649e.f3d4.01fe)
FastEthernet3 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.01ff (bia 649e.f3d4.01ff)
FastEthernet4 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.0200 (bia 649e.f3d4.0200)
FastEthernet5 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.0201 (bia 649e.f3d4.0201)
FastEthernet6 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.0202 (bia 649e.f3d4.0202)
FastEthernet7 is down, line protocol is down
Hardware is Fast Ethernet, address is 649e.f3d4.0203 (bia 649e.f3d4.0203)
FastEthernet8 is administratively down, line protocol is down
Hardware is PQII_PRO_UEC, address is 649e.f3d4.0204 (bia 649e.f3d4.0204)
GigabitEthernet0 is up, line protocol is up
Hardware is PQII_PRO_UEC, address is 649e.f3d4.0214 (bia 649e.f3d4.0214)
Vlan1 is down, line protocol is down
Hardware is EtherSVI, address is 649e.f3d4.01fc (bia 649e.f3d4.01fc)
Vlan10 is up, line protocol is up
Hardware is EtherSVI, address is 649e.f3d4.01fc (bia 649e.f3d4.01fc)
Vlan20 is up, line protocol is up
Hardware is EtherSVI, address is 649e.f3d4.01fc (bia 649e.f3d4.01fc)
Vlan30 is down, line protocol is down
Hardware is EtherSVI, address is 649e.f3d4.01fc (bia 649e.f3d4.01fc)
That some do isn't proof that all do. But interesting information nonetheless.
How about SG300 and how to find out?
How about SG300 and how to find out?
Sure it is not proof, but I don't remember that I ever saw different approach (and, for sure, I did not pay attention on each device are different MAC addresses present on each physical interface). I just checked today all switch types that I had access to and check how it is on those switches.
I don't know how to check SG300 interface MAC addresses.
I don't know how to check SG300 interface MAC addresses.
Please verify the claim the MAC address is needed & used on CDP/LLDP/BDPU i didn't see it. (wireshark/tcpdump).
ProCurve Managed L2 Switches don't offer an interface for showing MAC address per interface and also it isn't used in the named protocols.
ProCurve Managed L2 Switches don't offer an interface for showing MAC address per interface and also it isn't used in the named protocols.
1 19.257607720 Procurve_d9:fe:62 → LLDP_Multicast LLDP 132 TTL = 240 System Name = Switch1 System Description = HP ProCurve 1810G - 24 GE, P.2.21, eCos-2.0, CFE-2.1
*tried to find RFC for BPDU frame source address (and lost too much time), but here is from Wiki
Wiki - Bridge Protocol Data Units (BPDUs) are frames that contain information about the Spanning tree protocol (STP). A switch sends BPDUs using a unique MAC address from its origin port and a multicast address as destination MAC (01:80:C2:00:00:00,[1] or 01:00:0C:CC:CC:CD for Per VLAN Spanning Tree).
RFC - 802-1AB-2005
Since CDP is Cisco proprietary I did not try to find documentation.
Possible reason for different MAC address per port is MAC learning of neighboring device. If two devices would interconnected with more than 1 link - neighboring device would detect the same source address on different ports as MAC flapping.
You can find packet capture in attachment from 2 different ports on my home device. /**** removed attachment later, since many details about my router are present on capture (and replaced it with pictures of capture.
Capture1
Capture2
I hope that this is enough details since we hijacked this question. ;)
Wiki - Bridge Protocol Data Units (BPDUs) are frames that contain information about the Spanning tree protocol (STP). A switch sends BPDUs using a unique MAC address from its origin port and a multicast address as destination MAC (01:80:C2:00:00:00,[1] or 01:00:0C:CC:CC:CD for Per VLAN Spanning Tree).
RFC - 802-1AB-2005
8.2 Source addressOf course there are implementations that break rules (as I read that Siemens did).
The source address shall be the MAC address of the sending station or port.
Since CDP is Cisco proprietary I did not try to find documentation.
Possible reason for different MAC address per port is MAC learning of neighboring device. If two devices would interconnected with more than 1 link - neighboring device would detect the same source address on different ports as MAC flapping.
You can find packet capture in attachment from 2 different ports on my home device. /**** removed attachment later, since many details about my router are present on capture (and replaced it with pictures of capture.
Capture1
Capture2I hope that this is enough details since we hijacked this question. ;)
No.
Switches are, in that sense, transparent. You can PING a managed switch's management IP address which will have a corresponding MAC address. But normal switch traffic doesn't see this. I don't believe that Radius interaction is likely for a switch.