Cisco → [HELP] Cisco switches and mac addresses

Hi there

I was wondering if someone could help me with a question with regards to switches and mac address

Lets say I have a PC called PC5 for example. I have just unplugged PC5 from its switchport.

It is my understanding that as soon as a pc is unplugged from a switchport the mac address associated with that pc on that port
is automatically and instantly removed. Is this true ?

I heard something about mac address age time on Cisco switches, what is this ?

Can someone explain to me what happens or post some links for further info on this topic that is EASY for me to understand. LOL not like the Cisco webpage

What happens now for example if say PC1 sends something like a ping request to PC5 (just after I unplugged PC 5)

Are these and possible answers and if so then why ?

A. switch0 floods it out all ports except the port it came in on.
B. switch0 removes the PC5 entry from the mac table
C. All hosts of Switch0 respond with a 'not found message'
D. switch0 sends out a FFFF-FFFF-FFFF broadcast.

Thanks for any help

Removed from what? MAC address table?

In general, there is a timeout of how long MAC addresses are kept in a switch's MAC address table. If the switch does not see further activity past the timeout, the MAC address will be off the table.That is pretty much the timeout control. Check out the following link for more info.

»www.cisco.com/en/US/docs ··· p1085773That will be tough. These kind of things need some times to understand, not to mention a lot of hand-on times on actual equipments. In other words, no easy way. Good luck In regards of IP traffic, there will be involvement of routing table, ARP table, and MAC-address table if there is a switch in place. In general, here is what could happen (depending on a lot of things)

1. PC1 checks its routing table to find out how to reach out to PC5 in terms of IP address

2. Assuming PC1 and PC5 are within the same broadcast domain, PC1 will check its ARP table to find out what MAC address of the associated PC5's IP address.

3. Once PC1 has PC5's MAC address, PC1 send data to the PC5'S MAC address.

4. Assuming both PC1 and PC5 connect to the same switch, the switch will check its MAC address table to find out which switch port the PC5 connects to.

5. If the PC5's MAC address listed in the switch MAC address table is not yet timed out, then the switch soon finds out which switch port the PC5 connects to and then forward the traffic from the PC1 to the PC5's switch port.

6. Since the PC5 is disconnected (off the switch), the switch traffic forward to the PC5's switch port receives no responses.

7. Such no response makes the PC1 send out FFFF-FFFF-FFFF broadcast. Depending on how sophisticated the switch is, it could be possible that the switch itself send out the FFFF-FFFF-FFFF broadcast on behalf of PC1

8. When the switch and/or PC1 still can't find where the PC5 is, the switch will remove PC5's MAC address off its MAC address table. Similarly, the PC1 removes PC5's MAC address and IP address off its ARP table.

To answer your question, I believe the possible answers are A, B, and D.

Yes, as soon as link is lost on a port, the switch removes all data associated with that port from the mac-address-table.

If PC1 then attempts to send a packet to PC5, the switch will flood the packet to all ports, because it doesn't know where to send it. (This assumes PC1 already knows PC5's MAC. Otherwise an ARP request would be broadcast to find it. As it's disconnected, there will be no reply.) In the process, the switch learns the location of PC1 from the src mac of that packet.

The "aging-time" controls how long an entry will stay in the table without seeing any traffic from it. If PC1 generates no packets for 300sec (default), it'll be dropped from the table.

Moderator Action
The post that was here (and all 1 followups to it), has been moved to a new topic .. »Network Address Tranlsation (NAT) Question