4

I thought that a switch learnt the mac addresses by the computers sending out packets. However when I configured 2 switches, and 2 pc's, 1 pc connected to 1 switch, the other pc connected to the other switch, and then both switches connected to each other, there were mac addresses in the mac address table without there being any packets being sent. Why/How does this happen?

The_Bear
  • 515
  • 1
  • 5
  • 11
  • 4
    PCs are actually pretty chatty. They do a lot of things in the background. – Ron Trunk Feb 13 '19 at 11:56
  • 1
    Are you sure there were no packet sent? How? Modern OSes have a lot of background network activity. This can also be due to gratuitous ARP. See [this answer](https://networkengineering.stackexchange.com/a/7716/16930) for example – JFL Feb 13 '19 at 11:57
  • Definitely no packets sent when it was first viewed, packets were sent afterwards and the table was view again. – The_Bear Feb 13 '19 at 11:58
  • 4
    Then you have magic switches. – JFL Feb 13 '19 at 13:02
  • 6
    Clearly the PCs sent frames. That’s how the switch learned the MACs. – Ron Trunk Feb 13 '19 at 13:11
  • You could unplug a computer from a particular port, set up a capture on the switch to monitor the port, clear the MAC registered to that port if it's still in the table, and then plug your computer back into the port to see what the capture shows. That should answer your question. – Jesse P. Feb 13 '19 at 13:39
  • While im also unsure why you think that no packets were sent, i can only warmly recommend the Cisco Packet Tracer if you want to know why and what the PCs are talking on the network. (sorry if thats old news for you and i missunderstood you!) – Flying Thunder Feb 13 '19 at 13:57

3 Answers3

6

When you connect a PC to a network switch ("link up"), the PC performs at least one of these procedures (assuming IPv4 use):

  1. (most commonly) request an IP address lease from a DHCP server
  2. (when DHCP fails or is deactivated) automatically configure a link-local IP address (aka zero-config or APIPA)
  3. (when a static IP address is configured) send an ARP probe to detect an address collision

All of these methods send out broadcast frames from the PC which populate the MAC table in all the switches in the network (broadcast domain / VLAN).

Zac67
  • 81,287
  • 3
  • 67
  • 131
  • Also, gratuitous ARP, as mentioned in the comments to the question. – Jörg W Mittag Feb 13 '19 at 20:17
  • And an ARP for the default gateway and DNS servers if defined either locally or by DHCP plus UPNP discovery, etc. – grahamj42 Feb 13 '19 at 20:20
  • Strictly speaking this depend on OS and network configuration. If you were to disable IPv4 none of the packets you mention would be sent. For another example look at IPv6, it doesn't use broadcast only multicast. There are switches which will treat them the same, but a switch does not have to forward multicast packets onto all ports. – kasperd Feb 13 '19 at 22:20
  • @kasperd Absolutely. However, 99.x% of users *are* using IPv4 and the question didn't call for a too thorough/complicated answer. – Zac67 Feb 14 '19 at 07:21
  • @Zac67 Your 99% number sounds like one you made up rather than anything based on actual data. One would need telemetry implemented in native code deployed to a very large user base to give a number with that amount of accuracy. I most certainly don't have access to a large enough number of client machines to say how widespread the use of IPv6-only networks with NAT64 is. But given that more than 20% of users have IPv6 access I would guess the number of such IPv6-only networks to amount for more than 1%. – kasperd Feb 14 '19 at 21:20
  • @kasperd Well, I don't know *any* business using an IPv6-only network. v4-only is still very common and the rest is running dual stack. However, I didn't mean the 99+% literally, just that those with no IPv4 are *very* rare. – Zac67 Feb 14 '19 at 21:25
  • @Zac67 I know of multiple business running IPv6-only networks. I have first hand knowledge of a lot of machines running IPv6-only. The machines of which I have first hand knowledge are still less than 1% of the machines in existence worldwide. But of the machines I do have first hand knowledge about there is a two-digit percentage of them running IPv6-only. You can put clients on an IPv6-only network with DNS64+NAT64 and most users will never notice the lack of IPv4. IPv6-only without even NAT64 is still very rare and probably more often happen by accident rather than intentionally. – kasperd Feb 15 '19 at 08:58
5

PCs have many background tasks that send data all the time, even when you’re “not doing anything.” These frames will populate the MAC table.

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
2

You might think no packets have been sent, but Computers do a lot of talking in the background, given all the services functioning in the background.

Panthera
  • 21
  • 2