LearnNetwork
Hubs, bridges, switches

How switches actually learn MAC addresses

10 min

A switch starts life completely ignorant. It has no idea what's plugged into any port. Within milliseconds of the first frame, it starts learning, and within seconds it has a complete picture of the local network. The whole behavior comes from two rules.

SW1
A
port 1
AA:AA:AA
B
port 2
BB:BB:BB
C
port 3
CC:CC:CC

MAC table

MACPort
(empty)

What's happening

Click 'Next step' to start.

The two rules

Rule 1 — Learn the source. When a frame arrives on a port, the switch records: "source MAC X is reachable via port N." That entry goes into the MAC address table (also called CAM table, forwarding table, or bridge table).

Rule 2 — Forward based on destination. When the same switch later sees a frame whose destination MAC is X, it looks up X in its table. If X is known to be on port N, the frame is unicasted out port N only. If X is unknown (or the destination is broadcast / multicast), the frame is flooded out every port except the one it came in on.

That's the whole thing. Everything else — VLAN segmentation, STP, port security — is bookkeeping around these two rules.

MAC table aging

Entries don't live forever. Default aging is 5 minutes on Cisco; if no frame from a particular source MAC is seen for that long, the entry is removed. This keeps stale entries from accumulating when laptops move between ports or get unplugged.

You'll see the table on different vendors:

Cisco IOSCisco IOS — show MAC table
[object Object],[object Object],[object Object],[object Object]
Nokia SR OSNokia SR OS — show fdb
[object Object],[object Object],[object Object],[object Object]

Unknown unicast flooding

When a switch receives a frame for an unknown destination MAC, it floods it. This is necessary on day 1 of any new conversation: how else does A's first frame to B reach B? But it's also a security and capacity concern:

  • A flooded frame goes everywhere in the VLAN — anyone listening can see it.
  • A storm of unknown unicasts (or broadcasts) can saturate trunks.

Unicast flood blocking (port-level config) and storm control (rate-limits broadcast/multicast/unknown-unicast per port) are the typical countermeasures.

What happens during topology changes

If a switch knows MAC X is on port Gi1/0/3, then the user unplugs their laptop and plugs it into Gi1/0/7, the switch will keep sending frames to Gi1/0/3 until either:

  1. The first frame from the laptop on Gi1/0/7 arrives — Rule 1 re-learns it.
  2. The aging timer expires (5 minutes) and the entry is flushed.

A topology change (STP TCN, link flap) typically triggers an immediate flush of dynamically learned MACs to avoid black-holing traffic until normal aging catches up.

CAM exhaustion attacks

The MAC table has a fixed size. An attacker generating millions of forged-source frames can fill it up; once full, the switch defaults to flooding everything (because nothing is "known"). That's effectively a downgrade to a hub — and an opportunity to sniff. Defenses:

  • Port security caps the number of MACs per port.
  • DAI / DHCP snooping validates that ARP claims and DHCP responses match a trusted source.

What to remember

  • Two rules: learn the source, forward by destination, flood if unknown.
  • MAC table entries age out (5 min default).
  • Unknown unicasts get flooded — security and capacity implications.
  • A switch with a full MAC table degrades to hub-like behavior. Use port security to cap.