How switches actually learn MAC addresses
10 min
A switch starts life completely ignorant. It has no idea what's plugged into any port. Within milliseconds of the first frame, it starts learning, and within seconds it has a complete picture of the local network. The whole behavior comes from two rules.
MAC table
| MAC | Port |
|---|---|
| (empty) | |
What's happening
Click 'Next step' to start.
The two rules
Rule 1 — Learn the source. When a frame arrives on a port, the switch records: "source MAC X is reachable via port N." That entry goes into the MAC address table (also called CAM table, forwarding table, or bridge table).
Rule 2 — Forward based on destination. When the same switch later sees a frame whose destination MAC is X, it looks up X in its table. If X is known to be on port N, the frame is unicasted out port N only. If X is unknown (or the destination is broadcast / multicast), the frame is flooded out every port except the one it came in on.
That's the whole thing. Everything else — VLAN segmentation, STP, port security — is bookkeeping around these two rules.
MAC table aging
Entries don't live forever. Default aging is 5 minutes on Cisco; if no frame from a particular source MAC is seen for that long, the entry is removed. This keeps stale entries from accumulating when laptops move between ports or get unplugged.
You'll see the table on different vendors:
[object Object],[object Object],[object Object],[object Object][object Object],[object Object],[object Object],[object Object]Unknown unicast flooding
When a switch receives a frame for an unknown destination MAC, it floods it. This is necessary on day 1 of any new conversation: how else does A's first frame to B reach B? But it's also a security and capacity concern:
- A flooded frame goes everywhere in the VLAN — anyone listening can see it.
- A storm of unknown unicasts (or broadcasts) can saturate trunks.
Unicast flood blocking (port-level config) and storm control (rate-limits broadcast/multicast/unknown-unicast per port) are the typical countermeasures.
What happens during topology changes
If a switch knows MAC X is on port Gi1/0/3, then the user unplugs their laptop and plugs it into Gi1/0/7, the switch will keep sending frames to Gi1/0/3 until either:
- The first frame from the laptop on
Gi1/0/7arrives — Rule 1 re-learns it. - The aging timer expires (5 minutes) and the entry is flushed.
A topology change (STP TCN, link flap) typically triggers an immediate flush of dynamically learned MACs to avoid black-holing traffic until normal aging catches up.
CAM exhaustion attacks
The MAC table has a fixed size. An attacker generating millions of forged-source frames can fill it up; once full, the switch defaults to flooding everything (because nothing is "known"). That's effectively a downgrade to a hub — and an opportunity to sniff. Defenses:
- Port security caps the number of MACs per port.
- DAI / DHCP snooping validates that ARP claims and DHCP responses match a trusted source.
What to remember
- Two rules: learn the source, forward by destination, flood if unknown.
- MAC table entries age out (5 min default).
- Unknown unicasts get flooded — security and capacity implications.
- A switch with a full MAC table degrades to hub-like behavior. Use port security to cap.