What Does MAC address table Mean?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A MAC address table is like a guest list that a network switch uses to remember which devices are connected to which port. When a device sends data, the switch checks the table to see where to send the reply. This helps the network run efficiently and avoid sending data everywhere.
Common Commands & Configuration
show mac address-tableDisplays the entire MAC address table, including VLAN, MAC address, type (dynamic, static, secure), and port for each entry. Used to verify learned addresses and troubleshoot connectivity issues.
Appears in CCNA and Network+ exams to test your ability to read the table and identify which port a known MAC is on. Also used to detect flapping.
show mac address-table aging-timeShows the configured aging time for MAC entries (default 300 seconds on Cisco). Allows verification of how long entries are kept before removal.
CCNA questions may ask for the default aging time or how to change it. Network+ may test the concept that aging prevents stale entries.
mac address-table aging-time 120 vlan 10Sets the MAC address table aging time to 120 seconds for VLAN 10. Used to reduce aging time in dynamic environments or to speed up convergence after failures.
This is a CCNA-level configuration command; you must know the syntax (global config mode) and that it applies per VLAN or globally.
switchport port-security maximum 2Configures port security on an interface to allow a maximum of two MAC addresses. When exceeded, the switch takes a violation action (default shutdown).
CCNA Security and Security+ both test port security as a defense against CAM overflow. Remember the default violation mode is 'shutdown'.
clear mac address-table dynamicClears all dynamic MAC entries from the table. Used during troubleshooting or after a topology change to force re-learning.
show mac address-table countDisplays the total number of MAC entries and the available CAM space. Useful to detect CAM overflow or verify table usage.
Security+ and CCNA: if the count is near maximum, the switch may flood traffic. This command helps diagnose CAM overflow attacks.
mac address-table static aaaa.bbbb.cccc vlan 10 interface gi1/0/1Creates a static MAC address entry, tying the MAC to a specific port and VLAN. Ensures traffic to that MAC is always forwarded out that port.
Static entries are used for critical devices (servers, network appliances). CCNA asks why you'd use static vs dynamic-security and predictability.
MAC address table appears directly in 11exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
The MAC address table appears explicitly in several major certification exams, and its importance varies depending on the exam's focus.
For the CCNA exam, the MAC address table is a core objective. Cisco expects you to know how to interpret the output of show mac address-table, understand the difference between dynamic and static entries, and configure port security to limit the number of learned MAC addresses. You may encounter multiple-choice questions about what a switch does when it receives a frame with an unknown destination MAC, or scenario-based questions where you must determine which port a given MAC address is on. VLAN-related questions often involve the MAC address table because each VLAN maintains its own table.
The Network+ exam (N10-008 or N10-009) covers the MAC address table as part of network switching fundamentals. You need to explain how switches use MAC addresses to forward frames, the concept of the CAM table, and the flooding process for unknown unicast frames. Questions may ask you to compare switches to hubs or routers, or to describe the learning process. Performance-based questions might ask you to fill in missing table entries based on traffic flows.
For Security+, the MAC address table is relevant primarily through security threats and defenses. MAC flooding attacks are a well-known attack vector, and port security is a standard mitigation. You should understand how an attacker can use macof tools to flood the CAM table and how features like MAC address limiting, sticky MAC, and 802.1X can protect against it. Security+ may also touch on MAC spoofing, where an attacker changes their MAC address to impersonate another device.
The A+ exam (220-1101) covers the MAC address table at a lighter level. You need to know that switches use MAC addresses to direct traffic and that hubs do not. It is considered supporting knowledge for understanding how a local network operates, but it is not a heavy topic.
Amazon's AWS SAA and Google's ACE exams treat the MAC address table as background knowledge for understanding VPC networking. In AWS, virtual private clouds use an internal MAC address table for the hypervisor-level switching. You do not need to interpret CLI output, but you should understand that traffic between EC2 instances in the same subnet is switched at Layer 2 using MAC addresses. Questions about VPC peering or transit gateways may require understanding that Layer 2 adjacency is preserved or broken.
For Azure's AZ-104, the concept is similar to AWS. Azure virtual networks use software switches that maintain MAC tables, but you are more likely to be tested on IP addressing and routing than on the technical details of MAC learning. Nonetheless, questions about Azure VNet peering or network security groups (NSGs) may implicitly rely on Layer 2 switching.
the MAC address table is primary for CCNA and Network+, also useful for Security+ and A+, and light supporting for cloud exams. The depth of knowledge required is highest for CCNA, where you may be asked to troubleshoot.
Simple Meaning
Imagine you work in a large office building with many rooms. Each room has a nameplate with the name of the person who works there. When a visitor arrives and asks for a specific person, you look at the nameplates to know exactly which room to direct them to. You do not shout the person's name to every room, because that would be noisy and inefficient.
A MAC address table works in a similar way inside a network switch. The switch is like the central hub that connects computers, printers, and other devices in a local network. Each device has a unique hardware identifier called a MAC address, which is like a permanent nameplate. When a device first sends data through the switch, the switch makes a note: 'Device with MAC address AA:BB:CC:DD:EE:FF is on port 1.' It stores this note in its MAC address table.
After that, if another device wants to talk to that first device, the switch looks up its MAC address table. It sees the port number and sends the data only to that port. This prevents the data from going to every single device on the network, which would waste bandwidth and cause confusion. The table is constantly being updated as devices connect, disconnect, or move to different ports.
If the switch does not find a MAC address in its table, it sends the data out to all ports except the one it came from, a process called flooding. This is like a visitor asking for someone whose nameplate is not on the board, so you ask everyone in the building. The switch learns from the response and adds the new information to the table for future use.
Over time, the MAC address table can become very large, especially in busy networks with many devices. Switches have a limited amount of memory for this table, so they remove old entries that have not been used for a while. This keeps the table efficient and prevents it from overflowing.
Everything I just described is happening automatically, thousands of times per second, inside the switch. The MAC address table is a fundamental part of what makes a switch a switch, distinguishing it from older hubs that simply repeated every signal to all ports.
Full Technical Definition
A MAC address table, also known as a Content Addressable Memory (CAM) table, is a key data structure in network switches that enables Layer 2 forwarding decisions. The table contains entries that associate a device's MAC address with a specific switch port and VLAN. When a switch receives an Ethernet frame, it examines the destination MAC address, looks it up in the MAC address table, and forwards the frame only to the port where that MAC address resides. This process is called transparent bridging and is defined by IEEE 802.1D.
The MAC address table is stored in high-speed CAM, which allows the switch to perform lookups in a single clock cycle regardless of table size. Each entry typically includes the MAC address (48 bits), the VLAN ID (12 bits for 802.1Q tagging), the associated port number, and a timestamp indicating when the entry was last used. The switch learns entries dynamically by examining the source MAC address of incoming frames. When a frame arrives on a port, the switch records the source MAC and the port in the table if it is not already present. If the entry already exists, the switch updates the timestamp to keep it current.
The aging process is controlled by a timer, commonly 300 seconds (5 minutes) by default on many Cisco switches, but configurable. If the switch does not see a frame from a particular source MAC address before the timer expires, it removes the entry. This ensures that the table adapts to devices that move or disconnect. Static or permanent entries can be manually configured for security or to prevent aging, for example on trunk ports or for servers with fixed addresses.
When a frame arrives with a destination MAC address that is not in the MAC address table, the switch cannot determine the correct port. In that case, it floods the frame out of all ports except the ingress port. This is a normal and necessary behavior for unknown unicast frames, but it can also be a security concern. If an attacker sends frames with spoofed source MAC addresses, the switch may learn incorrect mappings, a form of MAC flooding attack that can overflow the table and force the switch into hub-like behavior.
The MAC address table is also intimately involved with VLANs. Each VLAN maintains its own logical table, so a switch with multiple VLANs will have separate forwarding domains. A frame tagged with VLAN 10 will only be looked up in the MAC address table entries for VLAN 10. This isolation is fundamental to VLAN functionality and security.
In the context of exam objectives, the CCNA and Network+ exams expect you to understand the output of the show mac address-table command on Cisco switches, including how to interpret static, dynamic, and secure entries. You should be able to describe the learning, forwarding, and filtering decisions a switch makes based on the MAC address table. Security+ exams cover MAC flooding attacks and port security as countermeasures to protect the MAC address table. AWS SAA and Google ACE exams treat the concept as background knowledge, since virtual switches in cloud environments maintain similar tables for VPC traffic.
Real-Life Example
Think of a large library with many reading rooms. Each reading room has a sign on the door with the name of the person currently using it. The librarian at the front desk has a logbook that lists each person's name and the room they are sitting in. When a person in Room A wants to send a message to a person in Room C, they hand the note to the librarian. The librarian checks the logbook, sees that the recipient is in Room C, and walks the note directly to Room C without disturbing anyone else.
If the librarian does not know where the recipient is, they have to call out the name across the entire library, which disturbs everyone. When the recipient answers, the librarian writes down the room number in the logbook for next time. This is exactly how a MAC address table works: the switch learns where devices are by watching traffic, and it uses that knowledge to send data directly to the correct port instead of flooding all ports.
The logbook entries are not permanent. If a person leaves the library and does not come back for several hours, the librarian erases their name to free up space. Similarly, if a person moves to a different room, the first message sent from that person's new location will update the logbook. This ensures the logbook always reflects the current location of each person.
Now imagine a busy library where hundreds of people come and go. The logbook might have hundreds of entries. If someone tries to join by claiming to be an existing name from a different room, the librarian might update the entry incorrectly. In networking, this is a MAC spoofing attack. The library might then enforce a rule that only certain people can reserve rooms, which is similar to port security on a switch.
In a virtual environment like a cloud data center, the library is replaced by a virtual switch inside a hypervisor. The logbook is still a MAC address table, but it operates in software. The same learning and forwarding logic applies, but the scale can be enormous, with thousands of virtual machines each having their own MAC addresses.
This analogy highlights the core purpose of the MAC address table: it is a dynamic directory that allows a switch to make intelligent forwarding decisions, reducing unnecessary traffic and keeping the network efficient.
Why This Term Matters
The MAC address table is what makes a switch a switch. Without it, every frame would be broadcast to every port, turning a modern switched network into a noisy, inefficient hub. The table enables the switch to filter traffic, so data goes only where it needs to go. This reduces collisions, saves bandwidth, and improves overall network performance.
In real-world IT environments, understanding the MAC address table is crucial for troubleshooting connectivity issues. If a device cannot communicate, a common first step is to check whether the switch has learned the device's MAC address. For example, if a computer is plugged into a switch but cannot access the network, an administrator might run a command to verify that the MAC address appears on the correct port. If it does not, the problem may be a bad cable, a disabled port, or a VLAN mismatch.
Securing the MAC address table is also a key part of network security. Attackers can try to overflow the table with fake MAC addresses, causing the switch to fail open and flood all traffic, which they can then capture. Port security features allow an administrator to limit the number of MAC addresses per port and to take action if a violation occurs, such as shutting down the port. This protects against MAC flooding attacks.
For cloud and SDN (software-defined networking) professionals, the concept extends to virtual switches. Whether you are working with VMware vSphere, AWS VPC, or Azure Virtual Networks, the underlying principle of MAC learning and forwarding is the same. Understanding the MAC address table helps you predict how traffic flows inside a virtual network and diagnose problems like asymmetric routing or ARP issues.
the MAC address table is not just an abstract exam topic. It is a live, dynamic component of every switched network, from a small office to a massive data center. Mastering it gives you a practical edge in network administration, security, and cloud engineering.
How It Appears in Exam Questions
Exam questions about the MAC address table can take several forms. The most common is a multiple-choice question that tests your understanding of the switch learning and forwarding process. For example: 'What does a switch do when it receives a frame with a destination MAC address that is not in its MAC address table?' The correct answer is that it floods the frame out of all ports except the one it came from. A distractor might say it drops the frame or sends it to the default gateway.
Another pattern involves interpreting a MAC address table. A question might show a table with columns for VLAN, MAC address, type, and port. You might be asked: 'Which port is the device with MAC address 0050.7966.6800 connected to?' Or: 'Which MAC address is dynamically learned on port GigabitEthernet0/2?' These questions test your ability to read CLI output.
Scenario-based questions are common in CCNA and Network+. For instance: 'A user reports that their workstation cannot reach a server in the same VLAN. The switch shows that the server's MAC address is learned on a different port than expected. What is the most likely cause?' The answer might be a misconfigured trunk or a MAC address that was incorrectly learned due to a loop. You need to think about how the MAC address table gets populated and what can go wrong.
Troubleshooting questions may ask about aging. For example: 'After moving a PC from port 1 to port 3 on the same switch, the PC cannot communicate immediately. Why?' The answer is that the switch still has the old MAC address entry in the table, and until it ages out or a new frame is sent from the new port, the switch forwards traffic to the old port. This leads to temporary connectivity loss.
Configuration-based questions appear in CCNA where port security is involved. 'An administrator configures port security with a maximum of 2 MAC addresses. A third device is connected, and the port goes into errdisable state. What caused this?' The answer ties directly to the MAC address table being full for that port. The question tests both your knowledge of port security and your understanding of how the MAC address table is managed per port.
Finally, some questions focus on attacks. 'An attacker connects to a switch and sends numerous frames with random source MAC addresses. What is the likely result?' The answer is that the MAC address table becomes full, causing the switch to flood all frames, which the attacker can then capture. This is a classic MAC flooding attack, and you need to know that port security or a dedicated feature like DHCP snooping can prevent it.
Practise MAC address table Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are setting up a small office network with a single switch. Four computers are connected: PC-A on port 1, PC-B on port 2, PC-C on port 3, and PC-D on port 4. You want to verify that the switch is learning their MAC addresses correctly.
You open a command prompt on PC-A and ping PC-B's IP address. At first, PC-A sends an ARP request to find PC-B's MAC address. The switch receives this ARP request on port 1. The switch looks at the source MAC address of the ARP request, which is PC-A's MAC, and adds an entry in the MAC address table: 'Port 1 belongs to MAC-A.' Since the destination MAC is the broadcast address (FF:FF:FF:FF:FF:FF), the switch floods the ARP request to all ports except port 1, including port 2.
PC-B receives the ARP request, sees its own IP, and sends an ARP reply back to PC-A. The switch receives this ARP reply on port 2. It learns PC-B's MAC address: 'Port 2 belongs to MAC-B.' Now the switch has both entries in its MAC address table.
Next, PC-A sends the actual ICMP ping to PC-B. The destination MAC is MAC-B. The switch looks up MAC-B in its table and finds it is on port 2. It forwards the frame only to port 2. PC-B receives the ping and replies. The switch now knows where both devices are and can forward future traffic directly.
Now suppose you disconnect PC-C from port 3 and reconnect it to port 5 (which was previously empty). When PC-C sends its first frame, the switch sees the source MAC on port 5 and updates its MAC address table. The old entry for PC-C on port 3 is eventually aged out after the timer expires. During the transition, traffic sent to PC-C might still be forwarded to port 3 until the table is updated, which is why you might see brief connectivity interruption after moving a device.
This scenario is classic for CCNA and Network+ exams. It demonstrates the learning, forwarding, and aging processes that are part of the switch's basic operation.
Common Mistakes
Confusing MAC address table with routing table
A MAC address table operates at Layer 2 and uses MAC addresses to forward frames within the same network segment. A routing table operates at Layer 3 and uses IP addresses to forward packets between different networks.
Remember that switches use MAC address tables for local forwarding, and routers use routing tables for inter-network forwarding.
Thinking the MAC address table is static
The table dynamically learns MAC addresses as traffic flows. Entries age out after a period of inactivity. It is not a fixed list; it constantly adapts.
Treat the MAC address table as a dynamic learning database that updates with every frame and removes old entries after a timeout.
Believing a switch floods all frames by default
A switch only floods frames when the destination MAC address is unknown (not in the MAC address table) or when it is a broadcast/multicast address. Known unicast frames are forwarded only to the correct port.
Understand that flooding is the exception, not the rule. The switch uses the MAC address table to make targeted forwarding decisions.
Forgetting that each VLAN has its own MAC address table
A switch maintains a separate MAC address table for each VLAN. A device's MAC address might appear in multiple VLANs if it is on a trunk port, but the table entries are VLAN-specific.
When troubleshooting, always note the VLAN. The MAC address table output shows the VLAN ID, and entries in one VLAN do not affect forwarding in another.
Assuming all MAC addresses in the table are learned dynamically
MAC address tables can contain dynamically learned entries, statically configured entries (e.g., for a server or a trunk), and secure entries from port security. The table type column in show output indicates this.
Check the type column (dynamic, static, secure) in the MAC address table output to understand how each entry was added.
Exam Trap — Don't Get Fooled
{"trap":"A switch receives a frame from a device with a source MAC address that is already in the MAC address table, but on a different port. The switch drops the frame.","why_learners_choose_it":"Learners often think that any change in the MAC address table is suspicious and that the switch should drop the frame to prevent a potential loop or attack."
,"how_to_avoid_it":"Actually, the switch updates the MAC address table with the new port information and forwards the frame normally. This is standard behavior that allows for device mobility. Dropping the frame would cause connectivity loss.
The switch trusts the new information because the source MAC is in the incoming frame. This is a typical trap in CCNA questions where the correct answer is 'update the table and forward.'
Commonly Confused With
The ARP table maps IP addresses to MAC addresses and is stored on end devices like computers and routers. The MAC address table maps MAC addresses to switch ports and is stored on switches. They serve different purposes: ARP helps find the MAC for a given IP, while the MAC address table helps find the port for a given MAC.
A computer uses its ARP table to know that 192.168.1.2 corresponds to MAC AA:BB:CC:DD:EE:FF. The switch uses its MAC address table to know that MAC AA:BB:CC:DD:EE:FF is on port 5.
A routing table is used by routers to make Layer 3 forwarding decisions based on IP addresses and network prefixes. A MAC address table is used by switches for Layer 2 forwarding within the same broadcast domain. Routers look at the destination IP, while switches look at the destination MAC.
When you send data to a website, your router checks its routing table to find the next hop IP. The switch along the way only cares about the MAC address of the next device, which it looks up in its MAC address table.
Port security is a feature that restricts how many MAC addresses can be learned on a switch port. The port security table is a subset of the MAC address table, containing only the secure entries for a given port. Port security can also specify actions when a violation occurs.
Configuring 'switchport port-security maximum 2' limits the MAC address table on that port to only two dynamic or sticky entries. If a third device connects, the port security table triggers a violation, but the MAC address table itself still exists for other ports.
CAM table is just another name for the MAC address table. CAM stands for Content Addressable Memory, which is the high-speed hardware used to store and search the table. The terms are interchangeable in most networking contexts.
A Cisco switch's 'show mac address-table' command shows the same data as the CAM table. Some documents use the term CAM table to emphasize the hardware implementation.
Step-by-Step Breakdown
Frame arrival
An Ethernet frame arrives at a switch port. The switch reads the source and destination MAC addresses from the frame header. The source MAC is the address of the device that sent the frame, and the destination MAC is the intended recipient.
Source MAC learning
The switch checks its MAC address table for the source MAC address. If it is not present, the switch creates a new entry: it records the source MAC, the ingress port number, and the VLAN ID. If the entry already exists but on a different port, the switch updates it with the new port information because the device may have moved.
Destination MAC lookup
The switch then looks up the destination MAC address in its MAC address table. This lookup determines whether the switch knows the correct egress port for this frame.
Forwarding decision
If the destination MAC is found in the table, the switch forwards the frame only to the associated port. This is called unicast forwarding. If the destination MAC is a broadcast (FF:FF:FF:FF:FF:FF) or multicast address, the switch floods the frame to all ports except the ingress port.
Flooding for unknown unicast
If the destination MAC is a unicast address but not present in the MAC address table, the switch floods the frame out of all ports except the one it came from. This ensures the frame reaches its destination even though the switch does not yet know where it is.
Age timer update
Each time a switch sees a frame with a source MAC that is already in the table, it updates the associated timestamp for that entry. This keeps the entry alive. If no traffic is received from that MAC address for the duration of the aging timer (commonly 300 seconds), the entry is removed.
Table entry removal
The switch periodically checks its MAC address table for entries that have exceeded the aging time. Those entries are deleted, freeing up space for new entries. Static entries are never aged out unless manually deleted.
VLAN isolation
The switch maintains separate MAC address tables for each VLAN. A frame tagged with VLAN 10 will only be looked up in the VLAN 10 table. This ensures that traffic from one VLAN is not inadvertently forwarded to ports in another VLAN, preserving security and segmentation.
Practical Mini-Lesson
As a network professional, you will frequently interact with the MAC address table, whether you are configuring a new switch, troubleshooting a connectivity issue, or securing the network. Understanding the table from a practical standpoint is essential.
Let us start with the command line. On a Cisco switch, the most common command is show mac address-table. This displays all MAC entries the switch has learned. The output typically includes columns for VLAN, MAC address, type (dynamic, static, secure), and port. You can filter the output with show mac address-table dynamic to see only dynamically learned entries, or show mac address-table address aaaa.bbbb.cccc to find a specific MAC.
When a user reports that they cannot reach a server in the same VLAN, one of the first things you should check is whether the switch knows the server's MAC address. If the server is on the same switch, you can verify that the MAC appears on the correct port. If it appears on a different port, there may be a loop or a misconfiguration. If it does not appear at all, the server might be down, disconnected, or on a different VLAN.
Another practical scenario is when you need to clear the MAC address table. You might do this after moving a large number of devices to new ports. The command clear mac address-table dynamic will remove all dynamically learned entries, forcing the switch to re-learn them. Be aware that this can cause temporary flooding while the table rebuilds, which could impact performance.
Port security is another area where the MAC address table is directly involved. If you configure port security with a maximum of one MAC address, the switch will only allow one device to connect to that port. If you also use sticky MAC, the switch automatically converts the first learned MAC to a static secure entry. The show port-security command displays the secure MAC addresses and any violations.
In larger environments with many switches, you may need to check the MAC address table on multiple switches to trace the path of a frame. For example, if you are troubleshooting an end-to-end connectivity issue, you can look at the access switch to find the client's MAC, then check the distribution switch to see if the same MAC is learned on the uplink port. This helps you confirm that traffic is flowing correctly across the network.
Finally, remember that the MAC address table is not just a Cisco concept. Juniper switches use the command show ethernet-switching table. Arista uses show mac address-table. All follow the same logic. In the cloud, AWS VPC uses an internal MAC forwarding table, but you cannot view it directly. However, understanding how it works helps you predict behavior when you look at VPC Flow Logs or troubleshoot asymmetric routing.
In practice, the MAC address table is always working, silently switching billions of frames. As a professional, your ability to read and interpret it will save you hours of troubleshooting time.
Understanding the MAC Address Table and Its Role in Layer 2 Forwarding
The MAC address table, also known as the Content Addressable Memory (CAM) table, is the core forwarding table used by network switches at Layer 2 of the OSI model. Every managed switch maintains this table to map MAC addresses (unique hardware identifiers of network interfaces) to the specific switch port on which the device with that MAC address was last seen. When a frame arrives on a port, the switch examines the destination MAC address, looks up that address in its MAC address table, and forwards the frame only out the port associated with that destination. If the MAC address is not in the table (an unknown unicast), the switch floods the frame out all ports in the VLAN except the incoming port. This process allows efficient traffic isolation and prevents unnecessary collisions, making Ethernet switching scalable.
The table is dynamically built as devices send traffic. When a switch receives a frame, it learns the source MAC address and updates its table with the port number and VLAN ID. Entries are aged out after a configurable time (typically 300 seconds for Cisco switches) if no further traffic is seen. Static MAC entries can also be configured manually to enforce security or reserve bandwidth for critical servers. The MAC address table is VLAN-aware: each VLAN maintains its own separate table, ensuring traffic for one VLAN is not forwarded to another. For trunks carrying multiple VLANs, the switch uses the VLAN ID inside the frame to consult the correct table.
Understanding the MAC address table is foundational for troubleshooting Ethernet issues, implementing port security (which limits the number of MAC addresses allowed per port), and operating Spanning Tree Protocol (STP), which relies on MAC address learning to build a loop-free topology. In modern data centers, virtual switches and hypervisors also maintain MAC address tables for virtual machines. The table is stored in high-speed CAM memory because it must be accessed in microseconds for every frame. For exams like CCNA and Network+, you must know how the table is built, how flooding works, and why MAC flapping (a single MAC address moving rapidly between ports) indicates a loop or misconfiguration.
On switches with hardware forwarding ASICs, the MAC address table is part of the forwarding pipeline. The number of entries a switch can hold is constrained by CAM resources, oversubscription can cause the switch to flood more frames, degrading performance. Security features like dynamic ARP inspection (DAI) and DHCP snooping rely on the MAC address table to validate source addresses. The MAC address table is the brain of a switch; without it, every frame would be flooded, making switched networks no more efficient than hubs.
MAC Address Table Aging, Timeouts, and Dynamic Entry Management
The MAC address table is not static; it dynamically adjusts as devices connect, disconnect, or move between ports. This is governed by an aging timer that determines how long a learned MAC entry remains valid after the last frame with that source address is received. On Cisco switches, the default aging time is 300 seconds (5 minutes) for most platforms. When the timer expires, the entry is removed (aged out), and the next frame to that destination will be flooded as unknown unicast until the switch learns the address again. This mechanism is essential for keeping the table accurate and preventing stale entries from causing incorrect forwarding.
The aging process can be tuned for specific needs. For example, in networks with many transient devices (e.g., guest Wi-Fi networks), a shorter aging time (e.g., 60 seconds) helps keep the table current and reduces the number of entries. In data centers with stable server connections, longer aging times (e.g., 600 seconds) reduce control overhead. The command "mac address-table aging-time <seconds>" on Cisco IOS adjusts this per VLAN or globally. Some switches also support configurable options like "dynamic" (default), "static" (no aging), or "secure" (MAC address table entries from port security are not aged).
When a switch detects a MAC address moving from one port to another (MAC flap), it typically raises a syslog message and may trigger a Topology Change Notification (TCN) for STP. Rapid flapping can cause the CPU to process many updates, potentially affecting performance. To mitigate this, some switches have a "MAC move" threshold that can trigger error-disabled state on the port. Understanding aging and flapping is critical for exams: CCNA questions often ask about the default timer, how to change it, and what happens when an entry ages out. Network+ might test the concept that aging prevents table overflow. Security+ may connect aging to preventing MAC flooding attacks (CAM overflow).
The aging process also interacts with other features. For instance, if port security is enabled and a secure MAC address ages out, the port may shut down if the maximum allowed addresses is exceeded. Similarly, DHCP snooping uses MAC address table to bind IP-MAC-ports, and aging of binding entries is separate. The aging timer is a key operational parameter that balances accuracy, security, and performance. Misconfiguring aging can lead to excessive flooding (too short) or stale entries (too long), both of which degrade network reliability.
MAC Address Table Security: CAM Overflow Attacks and Port Security
The MAC address table, stored in Content Addressable Memory (CAM), has a finite capacity. An attacker can exploit this by sending frames with many different source MAC addresses, typically via a tool like macof, aiming to fill the CAM table. When the table is full, the switch cannot learn new legitimate MAC addresses and defaults to flooding all unknown unicast frames out every port in the VLAN. This effectively turns the switch into a hub, allowing the attacker to capture traffic intended for other hosts. This is called a CAM overflow attack or MAC flooding attack. The attack is a classic Layer 2 threat covered in Security+ and CCNA Security.
To defend against CAM overflow, switches implement port security, which restricts the number of MAC addresses allowed on a given port. Common port security modes include: "dynamic" (learns up to a maximum), "static" (manually specific MACs), and "sticky" (dynamic MACs saved to running config). When a violation occurs (e.g., a new MAC appears after the limit is reached), the switch can protect by shutting down the port (shutdown), dropping the frame (restrict), or sending an alert but forwarding the frame (protect). The default action on Cisco switches is shutdown, which puts the port into error-disabled state. This is a direct exam topic for CCNA and Network+.
Another security feature is MAC address filtering, where the switch permits or denies frames based on source or destination MAC. This is less common due to management overhead but appears in legacy security configurations. Features like DHCP snooping and Dynamic ARP Inspection (DAI) build their own tables that rely on the MAC address table integrity. For example, DAI checks ARP packets against the DHCP snooping binding table, which itself uses MAC addresses from the switch's table.
The CAM table size varies by switch model; enterprise switches may hold 8,000 to 64,000 entries. To prevent overflow, administrators should set appropriate port security limits (typically 1-10 for access ports) and enable features like BPDU guard and root guard to strengthen STP, which indirectly protects MAC address table stability. In exam scenarios, you may be asked to identify a CAM overflow from symptoms like high CPU, flooded traffic, or a sudden inability to access a server. The solution is usually to verify port security configuration and inspect logs for violation messages. Understanding this attack is essential for Security+ (attacks and vulnerabilities) and CCNA (operation of switches).
How Spanning Tree Protocol (STP) Interacts with the MAC Address Table
The Spanning Tree Protocol (STP) and the MAC address table are deeply interconnected at Layer 2. STP's primary goal is to prevent loops by logically blocking redundant paths, but it also impacts how the MAC address table learns and ages entries. When STP transitions a port from blocking to forwarding (e.g., after a link failure or root bridge change), the switch must clear the MAC address table entries learned on that port. Otherwise, stale entries would cause frames to be sent out a port that is no longer the correct path, potentially causing a loop or black-hole traffic. This clearing is initiated by a Topology Change Notification (TCN) BPDU, which triggers all switches in the VLAN to shorten their MAC aging timer (from default 300 seconds to the forwarding delay, typically 15-30 seconds). This accelerates the learning of new paths.
From an exam perspective, you must understand that STP TCN events cause MAC address tables to be refreshed. For example, in CCNA, you may be asked why a network experiences temporary flooding after a link failure. The answer is that the MAC address table was cleared and the switch re-learns addresses via flooding. Similarly, Network+ might test that STP's convergence time is tied to MAC table aging. In larger networks, rapid STP (RSTP) speeds this process by synchronizing port roles faster, but the MAC address table still must be updated.
Misconfiguration of STP can indirectly corrupt the MAC address table. For instance, if a switch is not running STP and a physical loop exists, frames will circulate infinitely, causing MAC address flapping as the same MAC address is learned on multiple ports in rapid succession. This floods the CPU with notifications and can cause the MAC table to oscillate, leading to loss of connectivity. Security features like BPDU guard and root guard are often placed on ports to prevent unauthorized switches from triggering MAC table instability.
Another interaction is the use of STP as a defense against MAC flooding attacks. By limiting the number of STP-enabled ports, administrators can reduce the attack surface. Features like Loop Guard and UDLD help prevent loops that would otherwise corrupt the MAC address table. On exam day, look for clues about "MAC flapping" or "Topology Change Notification" to identify STP-related issues. Understanding the symbiotic relationship between STP and the MAC address table is crucial for both troubleshooting and design questions.
Troubleshooting Clues
MAC Address Flapping
Symptom: Syslog messages saying 'MAC address moved from port X to port Y' repeatedly. Users experience intermittent connectivity or slow traffic.
A single MAC address is being learned on multiple ports in rapid succession. This typically indicates a Layer 2 loop (missing STP) or a device with two NIC interfaces accidentally connected to the same switch.
Exam clue: CCNA questions often present a scenario with MAC flapping and ask for the cause (usually a loop) and solution (enable STP or check for miswired cables).
Unknown Unicast Flooding Due to Full CAM Table
Symptom: Network performance degrades, traffic flooded to all ports, and the 'show mac address-table count' shows table is 100% full.
The CAM table is full (due to attack or normal growth), so new MACs cannot be learned. The switch floods all unknown unicast frames out all ports, causing unnecessary traffic and possible packet loss.
Exam clue: Security+ and CCNA Security: a full CAM table is a symptom of a MAC flooding attack. Question asks: 'What attack fills the MAC address table?' Correct answer: CAM overflow.
Stale MAC Entries After Link Failure
Symptom: Traffic to a specific server is black-holed (no response) even though the server is up. The MAC address is still shown on the old port in 'show mac address-table'.
The MAC entry did not age out because the aging time is long, and no topology change notification (TCN) was sent. The switch continues sending frames out the (now dead) port.
Exam clue: Network+ and CCNA: why does traffic fail after link failure? Answer: MAC table was not updated because STP TCN was not triggered or aging time is too long.
Port Security Violation - Shutdown
Symptom: A user's port goes into error-disabled state. The 'show interfaces status' shows err-disabled. Console logs: 'port security violation'.
The number of source MAC addresses seen on the port exceeded the configured maximum. The port was shut down by the security policy.
Exam clue: CCNA troubleshooting: given logs of 'port security violation', candidate must identify the cause (too many MACs) and recovery (shutdown then no shutdown or errdisable recovery).
MAC Address Table Not Learning New Devices
Symptom: Newly connected devices cannot communicate. 'show mac address-table' does not show their MAC address even after sending traffic.
Possible reasons: port is in err-disable (security), port is administratively down, MAC address filtering blocks learning, or port is in spanning-tree blocking state.
Exam clue: Network+ and CCNA: first step is to check interface status (up/up), then check STP state (must be forwarding), then check port security. Exam expects systematic troubleshooting.
MAC Address Table Shows Inconsistent VLAN Assignments
Symptom: Devices in the same IP subnet cannot communicate. The MAC address table shows the same MAC on VLAN 10 and VLAN 20 on different ports.
A device is configured with multiple VLAN interfaces (router-on-a-stick) or a misconfigured trunk allows VLAN hopping. The switch learns the same MAC in multiple VLANs if the device sends tagged frames.
Exam clue: CCNA question: why does a PC with two VLANs cause MAC table confusion? Answer: Each VLAN has its own table; the MAC appears in both if the device sends untagged frames to different VLANs.
High CPU Due to MAC Address Table Thrashing
Symptom: Switch CPU usage spikes to 90%+. Syslog shows many MAC address table updates (add, remove, move).
Rapid changes to the MAC table (e.g., from flapping or flood of new MACs) cause the CPU to process many updates, impacting control plane performance.
Exam clue: Security+ and CCNA: high CPU from MAC table updates could indicate an attack (MAC flooding) or a loop. The solution is to enable port security and verify STP.
Memory Tip
Think of the MAC address table as a 'Who sits where' list for a switch, just like a seating chart for a dinner party.
Learn This Topic Fully
This glossary page explains what MAC address table means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
A 2-in-1 laptop is a portable computer that can switch between a traditional laptop form and a tablet form, usually by detaching or rotating the keyboard.
The 24-pin motherboard connector is the main power cable that connects the computer's power supply unit (PSU) to the motherboard, supplying electricity to the motherboard and its components.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
A 3D printer is a device that creates physical objects by depositing layers of material based on a digital model.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Quick Knowledge Check
1.What effect does a CAM overflow attack have on a switch's behavior?
2.By default, how long does a Cisco switch keep a learned MAC address in its table without refreshing it?
3.Which command clears all dynamically learned MAC address entries from the switch?
4.What is the most likely cause of repeated 'MAC address moved' syslog messages on a switch?
5.How many MAC addresses can be learned on a switch port configured with 'switchport port-security maximum 1'?
6.In a network with STP enabled, what happens to the MAC address table when a port changes from blocking to forwarding?
Frequently Asked Questions
What is the difference between a MAC address table and a CAM table?
There is no difference. CAM table stands for Content Addressable Memory table, which is the hardware technology used to store and search the MAC address table. In networking, the two terms are used interchangeably.
Why does a switch flood unknown unicast frames?
Because the switch does not know which port the destination device is on. Flooding ensures the frame reaches the intended recipient. Once the recipient replies, the switch learns its MAC address and future frames are forwarded directly.
How long does a MAC address remain in the table?
By default, most switches use an aging timer of 300 seconds (5 minutes). If no frame is received from that MAC address within the timer, the entry is removed. The timer can be configured to a different value.
Can a MAC address appear on multiple ports in the same VLAN?
Normally no. If a switch sees the same source MAC on a different port, it updates the entry to the new port. This assumes the device has moved. However, in some cases like a misconfiguration causing a loop, you might see the same MAC on multiple ports temporarily, which indicates a problem.
What happens if the MAC address table becomes full?
When the table is full, the switch cannot learn new MAC addresses. It will then flood all unknown unicast frames, effectively behaving like a hub. This can lead to performance degradation and security risks, which is why MAC flooding attacks target the table's capacity.
How does port security relate to the MAC address table?
Port security limits the number of MAC addresses that can be learned on a port. These secure MAC addresses are stored in the MAC address table along with dynamic entries. If a violation occurs, the switch can shut down the port or drop traffic, protecting the network.
Do virtual switches in the cloud have MAC address tables?
Yes. Virtual switches in hypervisors (like VMware vSwitch) and cloud platforms (like AWS VPC) maintain internal MAC address tables to forward traffic between virtual machines. The concept is the same as physical switches.
Summary
The MAC address table is the fundamental data structure that enables a network switch to make intelligent forwarding decisions at Layer 2. It maps each MAC address to a specific port and VLAN, allowing the switch to send frames only to the correct destination rather than flooding every port. This table is dynamic: it learns source MAC addresses from incoming frames, updates entries when devices move, and ages out entries after a period of inactivity to keep the table current and efficient.
Understanding the MAC address table is critical for IT certification exams. For CCNA and Network+, it is a primary topic that appears in questions about switching logic, VLANs, and port security. You need to be able to interpret table output, explain the learning and forwarding process, and troubleshoot issues like incorrect port mappings or table overflow. Security+ covers the table in the context of MAC flooding attacks and port security mitigations. Cloud exams treat it as valuable background knowledge for understanding virtual networking.
In real-world practice, the MAC address table is your go-to tool for diagnosing Layer 2 connectivity problems. Whether you are checking if a device is properly connected, investigating a loop, or securing ports against unauthorized access, the MAC address table provides the essential information. It works silently behind the scenes in every switched network, from a small home office to a massive data center.
Your key takeaway for exams: remember that switches learn dynamically, forward selectively, and flood as a fallback. The MAC address table is not static; it is a living record of the network's current state. Master this concept, and you will have a solid foundation for understanding switching, VLANs, and many security features.