Episode 112: Power over Ethernet (PoE and PoE+)
Switches are essential devices at Layer Two of the O S I model, and their ability to make intelligent forwarding decisions relies entirely on their internal memory of device locations. In Episode One Hundred Eleven, titled “M A C Address Tables — How Switches Learn,” we examine the mechanism that gives switches this intelligence: the M A C address table. This table is not a passive lookup list—it is a dynamic, constantly updated system that allows a switch to understand which devices are reachable on which ports. Without this learning capability, network efficiency would suffer dramatically, with switches resorting to broadcast-based forwarding for every packet. In both real-world deployment and the certification exam, understanding how switches build and maintain these tables is foundational to Layer Two networking.
At the heart of this process is the learning of Media Access Control addresses. These unique hardware identifiers allow each device on an Ethernet network to be individually recognized. When a switch sees a frame arriving at one of its ports, it doesn’t just forward it—it inspects the source M A C address and updates its internal table with that address and the port it came from. This enables the switch to remember where that device lives, so future frames addressed to it can be sent directly to that port. This learning behavior reduces reliance on flooding and forms the basis for unicast communication, where traffic goes only where it’s needed.
The M A C address table itself is structured as a list of M A C address entries. Each entry ties a specific hardware address to a physical switch port. If the network is using Virtual Local Area Networks, or V L A Ns, then the V L A N context is also included in each entry. This ensures that the same M A C address used in different V L A Ns is treated as two separate identities, one per segment. This design allows for logical segmentation and prevents cross-V L A N confusion in forwarding behavior. The table grows as the switch learns new addresses and shrinks as it ages out unused ones.
Switches do not learn from destination addresses—they learn from sources. Each time a frame enters a switch, the device records the source M A C address and the interface it came through. If that M A C address is already in the table but associated with a different port, the switch updates the entry to reflect the new location. This way, the table reflects real-time topology. If a device moves to a new port, the switch adjusts. If a previously unknown device sends a frame, the switch adds it to the table. This dynamic nature is key to supporting mobility within the network.
The M A C address table is not static. It includes an aging mechanism to clean up unused entries. Each learned address has a timer that resets whenever new traffic is seen from that address. If the timer reaches its limit without seeing activity, the switch removes the entry to free up space. This process is essential to keeping the table current and avoiding misdirection of traffic. The default aging time varies by vendor, but it’s often set to around three hundred seconds. Knowing how aging works helps explain why some addresses may disappear from the table during troubleshooting.
When forwarding frames, the switch consults the M A C address table to determine whether it knows the destination. If the destination address is found in the table, the switch sends the frame only to the corresponding port. This is unicast forwarding. If the address is not in the table—meaning the switch has not yet learned it—it floods the frame out all ports within the same V L A N except the one it came in on. This flooding ensures delivery but adds unnecessary traffic. Once the destination replies, the switch learns its address and unicast forwarding resumes.
Broadcast and unknown unicast traffic is treated similarly at Layer Two. Both are flooded across all ports in the same V L A N, except the source port. This behavior ensures that all possible recipients have a chance to receive the traffic. While this is helpful in the short term, excessive flooding can degrade performance. Fortunately, the flooding also serves a useful purpose: it accelerates learning. When a broadcast elicits responses from devices, the switch learns their M A C addresses, reducing the need for future flooding. This dual role of flooding is often tested on the certification exam.
One risk associated with M A C address tables is overflow. Switches have a finite amount of memory allocated to storing M A C address entries. If the number of unique M A C addresses seen by the switch exceeds this limit, new addresses cannot be stored. When this happens, the switch begins to flood all traffic, as it no longer knows which port to forward specific frames to. This condition can arise unintentionally in large environments or be caused deliberately through M A C flooding attacks, which are a type of denial-of-service tactic. Recognizing symptoms of table overflow is crucial in both exams and incident response.
Another problem is M A C address flapping, where a single M A C address appears on multiple ports in rapid succession. This creates instability in the table, as the switch continually updates the location of the same address. Often, this occurs due to a loop in the network or when a device is physically connected to multiple ports without proper redundancy control mechanisms like Spanning Tree Protocol. M A C flapping can lead to unpredictable traffic paths, broken connectivity, and performance issues. On the exam, this is typically presented as a troubleshooting scenario that requires diagnosis of unstable table behavior.
Sometimes, administrators manually configure M A C address entries. These are known as static entries and are often used for critical infrastructure devices like servers or printers that must always remain on the same port. Static entries are not subject to aging and do not change unless explicitly removed or altered. They override dynamic learning and ensure traffic for those addresses is never mistakenly forwarded elsewhere. While less flexible than dynamic entries, they provide stability and predictability in sensitive network areas. Knowing when to use static entries is a key part of exam readiness.
The “show mac address-table” command is the primary way to view the contents of the M A C table on a switch. This command lists all currently learned entries, including the M A C address, associated port, and V L A N. Administrators can filter the output to focus on a specific interface or V L A N, which helps isolate issues. For example, if a device is not receiving traffic, checking the table helps confirm whether its address has been learned. The exam may present you with command output and ask you to interpret why a certain frame isn’t reaching its destination or why flooding is occurring.
For more cyber-related content and books, please check out cyber author dot me. Also, there are other podcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Virtual Local Area Networks, or V L A Ns, directly influence how switches manage M A C address tables. Each V L A N has its own logical instance of the table, which allows the same M A C address to exist independently in multiple V L A Ns. This logical separation is vital for maintaining isolation between broadcast domains and ensuring that unicast forwarding occurs only within the correct virtual segment. When a switch learns a M A C address, it associates it with both the port and the V L A N it came from. This means that traffic from V L A N Ten will not be mistakenly forwarded to V L A N Twenty, even if the destination M A C address appears identical.
Troubleshooting issues related to M A C address tables often involves identifying whether the table has learned the correct addresses and whether the associations are accurate. If an expected device is not appearing in the table, it could mean the device has not sent traffic recently, causing its entry to age out. It could also indicate a physical cabling issue or a port configuration mismatch. If an address is tied to the wrong port, it might be due to M A C flapping, unauthorized access, or improper trunking. A flood of unknown traffic, even when devices are present, can point to M A C table corruption or overflow.
Spanning Tree Protocol, or S T P, interacts closely with M A C table behavior, especially during network topology changes. When a switch detects a change in the network structure—such as a new link becoming active or an existing one going offline—it may clear its M A C table entries to prevent forwarding loops. Additionally, ports in a blocking state due to S T P convergence do not participate in M A C learning. Only ports in the forwarding state contribute to address table updates. After convergence is complete and the topology is stable, learning resumes. The exam may test your understanding of this timing and its impact on address visibility.
Port security adds another layer of control over how M A C addresses are learned and maintained. Administrators can enforce a maximum number of allowed addresses per port, specify which addresses are permitted, and choose how violations are handled. If an unauthorized device is detected, the port may shut down or restrict traffic. These responses often include clearing the address entry from the table. By limiting the number of addresses and preventing rogue devices from joining, port security helps maintain the integrity and reliability of the M A C table. These features are frequently combined on exam questions.
Sticky M A C addressing and dynamic learning differ in their level of persistence. Sticky addresses are learned dynamically, just like standard entries, but they are then written into the running configuration of the switch. This allows the learned address to persist across reboots if saved to the startup configuration. Dynamic entries, by contrast, are stored only in memory and vanish if the switch is rebooted or if the aging timer expires. Sticky entries offer a hybrid model: flexibility during initial setup and long-term consistency afterward. Understanding this distinction is important for exam questions on configuration behavior and persistence.
During failover events, such as when a primary link goes down and traffic reroutes over a backup path, the M A C address table must be updated to reflect the new port associated with each device. This process is not instantaneous—it depends on new frames being sent, which allows the switch to relearn the M A C address on the new interface. Until that happens, frames may be flooded or dropped. This relearning delay can impact critical services. Some switches support faster convergence features, but the underlying concept remains: failover resets the learned path, and M A C learning must occur again to restore optimal unicast forwarding.
The broader purpose of M A C address tables can be summarized by three main ideas: association, learning, and efficient forwarding. Switches use these tables to map M A C addresses to physical ports, building the table dynamically by observing traffic. They keep the table clean through aging and react to topology or configuration changes by updating or resetting it. Whether it’s identifying where a device resides or deciding how to deliver a frame, the M A C table sits at the center of Layer Two decision-making. Without it, switches would be limited to blind flooding, creating excessive overhead and limiting performance.
Switches also rely on the M A C address table to support advanced features like link aggregation, quality of service, and multicast snooping. These functions often reference the address table to determine how and where traffic should be directed. For example, link aggregation groups multiple physical ports into a single logical link, but the M A C address table must be aware of how those links behave collectively. In the context of multicast, knowing the recipient M A C addresses ensures that multicast traffic reaches only interested hosts. On the exam, these extended uses of the M A C table may appear in complex scenario questions.
Another important aspect is the interaction between M A C tables and access control technologies. Network Access Control solutions may use data from the M A C table to enforce policies or track endpoint locations. Similarly, security appliances might query or receive M A C table updates to map users to physical ports. This visibility aids in tracing activity across the network and responding to incidents quickly. While not the primary focus of entry-level exams, this broader context may appear in scenario-based questions where visibility and policy enforcement intersect with switching behavior.
In conclusion, the M A C address table is not merely a lookup chart inside a switch—it is the engine that powers intelligent traffic delivery at Layer Two. It enables unicast forwarding, limits broadcast dependency, and supports security and segmentation through features like V L A Ns and port security. By dynamically learning addresses from source frames and aging out unused entries, the switch adapts to changes in real time. Whether you are troubleshooting flooding behavior, analyzing switch logs, or identifying configuration errors on the certification exam, a solid understanding of how the M A C address table works will guide you toward the correct answers every time.
