Episode 111: MAC Address Tables — How Switches Learn
Switches form the backbone of Layer Two networks, and at the heart of their functionality lies the M A C address table. Episode One Hundred Eleven, titled “M A C Address Tables — How Switches Learn,” explores how switches use this internal structure to make intelligent forwarding decisions. The M A C address table enables each switch to understand which devices are reachable through which ports, reducing broadcast traffic and streamlining data delivery. On the certification exam, this concept is foundational, and understanding it will help you answer a variety of questions about switch behavior, traffic flow, and network troubleshooting.
The process of learning M A C addresses is fundamental to how switches operate. Without it, every packet would need to be broadcast, wasting bandwidth and increasing the risk of congestion. Switches learn addresses by observing incoming frames, then use that information to build a table that matches M A C addresses to specific ports. This behavior forms the basis for unicast transmission, which is more efficient than relying solely on broadcast or multicast. For the exam, you’ll need to recognize how this learning process reduces network load and supports reliable, directed communication at Layer Two.
The M A C address table contains essential data that helps the switch route traffic within the local network. Each entry includes a M A C address, the switch port where that address was last seen, and a V L A N identifier if V L A Ns are configured. This allows the switch to maintain separate forwarding logic per virtual network and support complex, segmented architectures. The presence of port and V L A N context ensures that even if the same M A C address appears in multiple V L A Ns, it is handled correctly. On the exam, tables may be presented for interpretation, and understanding these elements is key.
Switches learn M A C addresses by examining the source address of incoming Ethernet frames. When a device sends traffic through a port, the switch captures the M A C address in the frame’s header and associates it with that specific port in the table. This dynamic learning process allows the switch to build a list of known devices across its interfaces. As new devices appear, their M A C addresses are added, and if a device moves to a new port, the table is updated accordingly. You’ll be expected to know this dynamic behavior and its implications for troubleshooting on the certification exam.
The M A C address table does not grow endlessly. Instead, it uses aging timers to automatically remove entries that have not been used for a certain period. This cleanup process prevents the table from filling with stale data and allows space for new device entries. The default aging time is typically around three hundred seconds, but it can be adjusted by the administrator. If a device becomes inactive or disconnects, its address will eventually be removed from the table unless traffic is seen again. The exam may ask about this timeout behavior or how it supports table accuracy.
When forwarding a frame, the switch consults the M A C address table. If the destination address is listed, the switch forwards the frame only to the associated port, a process called unicast forwarding. If the address is unknown—meaning not yet in the table—the switch floods the frame out all ports in the same V L A N except the one it arrived on. This flooding behavior is temporary and ends once the destination is learned. The exam may test your understanding of this difference between known and unknown address handling.
Broadcasts and unknown unicasts are both flooded across all relevant switch ports. This process ensures that the intended recipient receives the traffic, even if the switch doesn’t yet know where it resides. While necessary, this flooding increases overall traffic and can affect performance in larger networks. However, it also accelerates M A C learning, as the recipient’s reply allows the switch to add its address to the table. On the exam, understanding the relationship between flooding and M A C learning will help you interpret questions on switch behavior.
Despite their utility, M A C address tables have storage limits. If too many unique addresses are seen—either from legitimate growth or malicious activity—the table can overflow. This causes the switch to revert to flooding mode for all traffic, which may result in performance degradation or a denial-of-service condition. This vulnerability is often targeted in M A C flooding attacks, where an attacker overwhelms the table with fake addresses. The certification exam may present symptoms of table overflow and ask you to identify the root cause or suggest mitigation steps.
M A C flapping is a condition where a single M A C address is seen moving rapidly between different ports. This can occur due to physical miswiring, such as a loop without proper Spanning Tree Protocol control, or due to software issues in endpoint devices. When flapping occurs, the M A C table constantly updates and becomes unstable, making reliable forwarding impossible. The switch is left unsure which port truly hosts the device. Recognizing signs of M A C flapping and knowing its causes is an important part of troubleshooting questions on the exam.
Some M A C address entries can be configured manually, known as static M A C address mappings. These entries are fixed and do not age out or change based on frame observations. Static entries are often used for critical devices like servers, where stable addressing is required. They also override any dynamic learning that would conflict. While less common than dynamic learning, static entries play a vital role in environments that demand predictability. Expect the exam to include questions about when to use static versus dynamic table entries.
To observe what the switch has learned, administrators can view the M A C address table using command-line tools. The “show mac address-table” command displays all current entries, and filters can be applied to view specific V L A Ns or interfaces. This output allows administrators to verify that devices are correctly mapped and identify any inconsistencies or unexpected addresses. The exam may present simulated command output and ask you to interpret what the switch has learned or diagnose issues based on the table’s contents.
For more cyber-related content and books, please check out cyber author dot me. Also, there are other podcasts on Cybersecurity and more at Bare Metal Cyber dot com.
When a network uses V L A Ns, the M A C address table is segmented accordingly. Each V L A N maintains its own logical version of the table, which allows for the same M A C address to appear in different V L A Ns without conflict. This separation supports logical segmentation of the network and ensures that traffic is only forwarded within the correct virtual segment. For example, a printer with a given M A C address might exist in V L A N Ten and V L A N Twenty, but each instance is managed separately. On the exam, be prepared to analyze how V L A Ns affect switch learning and forwarding behavior.
Troubleshooting M A C table behavior involves identifying missing entries, incorrect port associations, or excessive flooding. If a device is not showing up in the table, it may not have sent any traffic, or the switch may have aged out the entry. Incorrect associations can occur due to loops or physical changes in cabling. Excessive flooding, even with known devices, often points to learning problems or table overflow. The exam may give you output from a switch and ask you to diagnose why frames are being flooded or why traffic isn’t reaching the correct destination.
Spanning Tree Protocol interacts closely with M A C address learning. During topology changes, such as when a link fails or a redundant path becomes active, the switch may reset its M A C table entries. This reset helps ensure that traffic is not sent in the wrong direction during convergence. Also, when ports enter a blocking state during Spanning Tree transitions, M A C learning is paused until the topology stabilizes. On the exam, these interactions may appear in questions that test your understanding of how switches behave during link or topology changes.
Port security, a feature covered in earlier episodes, directly affects how M A C addresses are handled in the table. It can enforce limits on the number of addresses that can be learned per port, and it can prevent unauthorized addresses from being added. If a violation occurs, the switch may clear the table entry and disable the port temporarily. This control mechanism helps maintain table integrity and prevents flooding attacks. Exam questions often combine port security and M A C table knowledge to assess how well you understand their integrated behavior.
Understanding the difference between sticky M A C addresses and dynamic entries is also important. Sticky addresses are dynamically learned but then stored in the running configuration, making them semi-permanent. If saved to startup configuration, they persist across reboots. Dynamic entries, by contrast, reside only in memory and disappear when the device restarts or when the aging timer expires. Recognizing the persistence and behavior of these two entry types is key when the exam presents configuration options or troubleshooting steps related to learned addresses.
Failover events can also impact M A C table behavior. When a primary link fails and traffic is rerouted through a backup path, the switch must relearn the associated M A C addresses on the new port. This relearning process may involve brief disruptions as the table is updated and traffic flow is reestablished. Convergence time, determined by protocols like Spanning Tree, affects how quickly normal operation resumes. The exam may include scenarios where failover has occurred, and you must identify why traffic is not flowing or why learning seems delayed.
To summarize how M A C address learning works, switches dynamically associate each M A C address with the port on which it was last seen. This learning process is continuous and updates the table as devices move or change behavior. The forwarding logic depends on this table, allowing the switch to send frames only where they need to go. This method avoids unnecessary broadcasts and keeps network traffic efficient. On the certification exam, you’ll frequently be asked to apply this logic to real-world scenarios, configuration simulations, or interpretive command outputs.
As we conclude Episode One Hundred Eleven, it’s clear that M A C address tables are central to how switches perform intelligent forwarding. They enable unicast transmission, reduce broadcast traffic, and support V L A N segmentation. Whether entries are learned dynamically, configured statically, or managed with port security, they form the operational backbone of Layer Two switching. Understanding their behavior helps you not only prepare for the certification exam but also better grasp how real-world Ethernet networks function efficiently and securely.
________________________________________
