When a frame arrives at a switch, how does it know which port to forward it out? The answer lies in the MAC address table—the fundamental data structure that makes a switch a switch. On the CCNA 200-301 exam, understanding MAC address table operations (exam objective 2.2) is critical because it underpins switching logic, VLANs, and security features like port security. In real networks, a corrupted or misconfigured MAC table can cause unicast flooding, bridging loops, or even security breaches. Mastering this topic will help you troubleshoot connectivity issues and design efficient Layer 2 networks.
Jump to a section
Imagine you are the front desk clerk at a large hotel. Each guest checks in and is assigned a specific room number. As guests arrive, you write down their name and room number in a directory. When a delivery person arrives with a package addressed to 'Mr. Smith,' you look up Smith in your directory. If you find an entry, you send the delivery person directly to that room. If you don't, you have to page all rooms—a broadcast—to find Mr. Smith. Over time, as more guests check in, your directory grows, and deliveries become more efficient.
Now, if a guest checks out, you might keep their entry for a while in case they return, but eventually you remove it to free up space. If someone mischievously changes their name tag, you might record a wrong name and misdirect deliveries. This is exactly how a switch learns MAC addresses. Each arriving frame carries a source MAC address—like a guest's name. The switch records it along with the port (room number) in its MAC address table. When a frame arrives destined for a known MAC, the switch forwards it only out the correct port—like a direct delivery. For unknown destinations, the switch floods the frame out all ports except the one it came in on—like paging all rooms. The table has an aging timer (default 300 seconds) to remove stale entries. If a device moves to a different port, the switch updates the entry. Understanding this analogy helps you grasp how switches learn, forward, and age out MAC addresses—core to the CCNA exam.
What is a MAC Address Table?
A MAC address table, also known as a content-addressable memory (CAM) table, is a data structure stored in a switch's memory that maps MAC addresses to the ports through which they can be reached. It is the core component that allows a switch to make intelligent forwarding decisions at Layer 2. Without it, a switch would behave like a hub, flooding every frame out all ports except the incoming port. The table is built dynamically by learning from the source MAC addresses of incoming frames.
How the MAC Address Table is Built (Learning)
The learning process is entirely passive and automatic. Here is the step-by-step mechanism at the frame level:
A device (e.g., PC A) sends a frame. The frame includes a destination MAC address and a source MAC address.
The switch receives the frame on a specific port (e.g., GigabitEthernet0/1).
The switch examines the source MAC address. It looks up that address in its MAC address table.
If the source MAC is not in the table, the switch creates a new entry: it records the source MAC address, the port on which it was received, and a timestamp (used for aging).
If the source MAC is already in the table but associated with a different port, the switch updates the entry with the new port and resets the timestamp. This handles device mobility.
If the source MAC is already in the table and associated with the same port, the switch simply refreshes the timestamp.
This learning happens for every incoming frame, regardless of the destination. The switch never learns from the destination MAC address; it only uses the source MAC for learning.
How Forwarding Works (Switching Logic)
Once the MAC address table is populated, the switch uses it to forward frames efficiently:
1. The switch receives a frame and extracts the destination MAC address. 2. It performs a lookup in the MAC address table for that destination MAC. 3. There are three possible outcomes: - Known Unicast: If the destination MAC is found and the associated port is different from the incoming port, the switch forwards the frame only out that specific port. This is called *forwarding*. - Same Port: If the destination MAC is found and the associated port is the same as the incoming port, the switch drops the frame because the destination is on the same segment. This is called *filtering*. - Unknown Unicast: If the destination MAC is not found in the table, the switch floods the frame out all ports except the incoming port. This ensures the frame reaches the intended device, assuming it is somewhere in the broadcast domain. 4. For broadcast frames (destination MAC FF:FF:FF:FF:FF:FF) and multicast frames (depending on configuration), the switch always floods them out all ports except the incoming port, because the MAC address table cannot store broadcast or multicast addresses as destinations.
Key Timers and Defaults
Aging Time: Default is 300 seconds (5 minutes) on most Cisco switches. This timer controls how long a dynamically learned MAC address remains in the table without being refreshed. If no frame with that source MAC is received within the aging time, the entry is removed.
Maximum Entries: Varies by platform. For example, a Cisco Catalyst 2960 switch can store up to 8,000 MAC addresses. The exact number depends on the hardware CAM size.
Secure MAC Addresses: When port security is configured, the switch can store secure MAC addresses that do not age out (unless configured to do so).
Sticky MAC Addresses: A feature of port security where dynamically learned MAC addresses are saved to the running configuration and become sticky (they persist across reboots and do not age out).
IOS CLI Verification Commands
To inspect the MAC address table on a Cisco switch, use the following commands:
Switch# show mac address-tableExample output:
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.7966.6800 DYNAMIC Gi0/1
1 0050.7966.6801 DYNAMIC Gi0/2
10 aaaa.bbbb.cccc STATIC Gi0/3Vlan: The VLAN in which the MAC is learned.
Mac Address: The 48-bit MAC address in dotted-hex format.
Type: DYNAMIC (learned automatically), STATIC (manually configured), or SECURE (from port security).
Ports: The outgoing interface(s).
To see only dynamic entries:
Switch# show mac address-table dynamicTo clear the entire MAC address table:
Switch# clear mac address-table dynamicTo configure a static MAC address entry (rarely used in practice but testable):
Switch(config)# mac address-table static aaaa.bbbb.cccc vlan 10 interface gigabitethernet0/3Interaction with Related Protocols
VLANs: The MAC address table is VLAN-aware. Each VLAN maintains its own separate table (logically or physically). A MAC address learned in VLAN 10 is not used for forwarding decisions in VLAN 20. This is because VLANs segment Layer 2 broadcast domains.
Spanning Tree Protocol (STP): STP can block ports to prevent loops. When a port is in a blocking state, the switch does not learn MAC addresses on that port, nor does it forward frames through it. STP also causes MAC address table changes when a topology change occurs (e.g., a link fails). The switch may flush dynamic entries on ports affected by the topology change to speed up convergence.
Port Security: Port security uses the MAC address table to restrict which devices can connect to a port. It can limit the number of MAC addresses learned on a port and take action (shutdown, restrict, protect) if a violation occurs.
EtherChannel: When multiple physical links are bundled into a single logical link, the MAC address table associates the MAC address with the port-channel interface, not the individual physical ports. This ensures load balancing and prevents loops.
Common Exam Traps
Trap 1: MAC address table stores destination MAC addresses. WRONG. The table stores source MAC addresses learned from incoming frames. The destination is used for lookup, not for learning.
Trap 2: A switch floods all unknown unicast frames. True, but only if the destination MAC is not in the table. Some candidates think flooding happens for all frames; it only happens for unknown unicasts, broadcasts, and multicasts (unless IGMP snooping is configured).
Trap 3: The aging timer is 300 seconds for all entries. By default, yes, but static entries do not age out. Secure MAC addresses can be configured to age or not.
Trap 4: Clearing the MAC address table disrupts traffic permanently. Actually, the switch re-learns addresses as soon as new frames arrive. The disruption is minimal (a few frames may be flooded until learning completes).
Frame Arrives on Switch Port
A device (e.g., PC1) sends an Ethernet frame. The switch receives the frame on a specific interface (e.g., GigabitEthernet0/1). The frame contains a source MAC address (e.g., 0050.7966.6800) and a destination MAC address (e.g., 0050.7966.6801). The switch records the incoming port and the source MAC address in its MAC address table if it is not already present. This is the learning phase. The switch does not examine the destination MAC for learning purposes.
Lookup Destination MAC in Table
The switch extracts the destination MAC address from the frame and performs a lookup in the MAC address table. The table is organized as a hash table (CAM) for fast access. Three outcomes are possible: (1) Destination MAC found and associated port is different from incoming port → forward out that port. (2) Destination MAC found and associated port is same as incoming port → drop the frame (filtering). (3) Destination MAC not found → flood the frame out all ports except the incoming port.
Forward or Flood Decision
If the destination MAC is known, the switch forwards the frame only out the correct port. For example, if the destination MAC is 0050.7966.6801 and it is associated with port Gi0/2, the switch sends the frame out Gi0/2 only. If the destination MAC is unknown, the switch floods the frame out all ports except Gi0/1. Flooding ensures the frame reaches the intended device, but it consumes bandwidth on all segments. Broadcast and multicast frames are always flooded (unless IGMP snooping filters multicast).
Update Aging Timer on Source MAC
Every time the switch receives a frame from a known source MAC, it resets the aging timer for that entry to 0. The default aging time is 300 seconds (5 minutes). If the switch does not receive a frame from that source MAC within 300 seconds, the entry is removed from the table. This is to keep the table current as devices move or are replaced. You can change the aging time globally with the command 'mac address-table aging-time <seconds>'.
Verify MAC Address Table
Use the command 'show mac address-table' to view all entries. Example output: ``` Switch# show mac address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0050.7966.6800 DYNAMIC Gi0/1 1 0050.7966.6801 DYNAMIC Gi0/2 10 aaaa.bbbb.cccc STATIC Gi0/3 ``` Check the 'Type' column: DYNAMIC entries are learned; STATIC entries are manually configured. Use 'show mac address-table aging-time' to see the configured aging time. Use 'show mac address-table count' to see how many entries are in use.
Clear or Configure Static Entries
To clear all dynamic entries (e.g., for troubleshooting), use 'clear mac address-table dynamic'. To clear entries on a specific interface, use 'clear mac address-table dynamic interface gigabitethernet0/1'. To add a static MAC address (e.g., for a server that should always be on a specific port), use 'mac address-table static aaaa.bbbb.cccc vlan 10 interface gigabitethernet0/3'. Static entries do not age out and are preserved in the running configuration. They override dynamic learning for that MAC.
In a typical enterprise network, switches are the backbone of Layer 2 connectivity. The MAC address table is constantly in flux as devices connect, disconnect, and move. For example, consider a large office floor with multiple access switches connected to a distribution switch. When an employee plugs their laptop into a wall jack, the access switch learns the laptop's MAC address on that port. If the employee moves to a different desk, the switch updates the entry when the laptop sends a frame from the new port. This dynamic learning allows seamless mobility without manual configuration.
Another scenario is a data center where servers have multiple NICs teaming (NIC teaming). The switch may see the same MAC address on multiple ports if the team uses the same MAC for all links. This can cause the MAC address table to flip-flop between ports, leading to instability and potential packet loss. To prevent this, network engineers configure the switch ports as an EtherChannel, which bundles the physical links into one logical interface. The MAC address table then associates the server's MAC with the port-channel interface, not the individual ports.
Port security is a common feature used to control which devices can connect to a switch port. For instance, in a campus network, IT may want to prevent unauthorized devices from plugging into office jacks. By enabling port security and limiting the number of MAC addresses to 1 or 2, the switch will shut down the port if an unknown device attempts to connect. This relies on the MAC address table to detect violations. Misconfiguration, such as setting the maximum MAC address count too low, can cause legitimate devices to be blocked. Conversely, setting it too high may allow rogue devices.
Performance considerations: The MAC address table is stored in CAM, which is fast but has limited capacity. In large networks, the table can fill up, causing the switch to flood frames for new destinations (since it cannot learn new entries). This can degrade performance. Engineers monitor the table size with 'show mac address-table count' and plan for switches with sufficient CAM size. Additionally, the aging time can be tuned: shorter aging times free up entries faster but cause more flooding; longer aging times keep stale entries but reduce flooding. Default 300 seconds is a good balance for most environments.
On the CCNA 200-301 exam, objective 2.2 'Describe switching concepts and the operation of a switch' includes MAC address table learning and forwarding logic. Expect questions that test your understanding of how a switch builds its table, how it forwards frames, and how VLANs affect the table. Key points to remember:
The MAC address table is built from source MAC addresses only. Many candidates mistakenly think the destination MAC is used for learning. This is a common trap: if a question asks 'What does a switch use to build its MAC address table?' the correct answer is 'source MAC address' or 'source address'.
The switch floods unknown unicast frames, but NOT frames with a known destination. A question might describe a scenario where a frame arrives with a destination MAC that is in the table; the switch forwards it only out the associated port.
The default aging time is 300 seconds. You may be asked what happens after a device stops sending frames for 5 minutes: the entry is removed.
VLANs create separate MAC address tables. A MAC learned in VLAN 10 is not used in VLAN 20. A question might show two PCs in different VLANs and ask if the switch can forward frames between them; the answer is no (you need a router or Layer 3 switch).
Common wrong answers: 1. 'The switch uses the destination MAC to learn.' – Wrong, as explained. 2. 'The switch floods all frames except broadcasts.' – Wrong; it filters known unicasts. 3. 'The aging time is 30 seconds.' – Wrong; default is 300 seconds (5 minutes). 4. 'Static MAC entries are learned dynamically.' – Wrong; static entries are manually configured.
Decision rule for scenario questions: Identify the source and destination MACs. Ask: Is the destination MAC in the table? If yes, and the associated port is different from the incoming port, forward. If same port, drop. If not in table, flood. For broadcasts, always flood. For multicasts, flood unless IGMP snooping is enabled.
Calculation traps: None directly, but be aware of CAM size limits. A question might ask how many MAC addresses a switch can store; the answer is platform-dependent, but a typical value is 8,000 for a 2960. Know that 'show mac address-table count' gives the number of entries in use.
MAC address table maps MAC addresses to switch ports; built from source MAC addresses of incoming frames.
Default aging time is 300 seconds (5 minutes); configurable with 'mac address-table aging-time'.
Three forwarding actions: forward (known unicast, different port), filter (known unicast, same port), flood (unknown unicast, broadcast, multicast).
VLANs maintain separate MAC address tables; a MAC learned in one VLAN is not used in another.
Use 'show mac address-table' to view entries; 'clear mac address-table dynamic' to flush.
Port security uses MAC address table to enforce limits; sticky MACs are saved to config.
Static MAC entries override dynamic learning and do not age out.
These come up on the exam all the time. Here's how to tell them apart.
Dynamic MAC Address Learning
Learned automatically from incoming frames.
Ages out after 300 seconds (default).
Can be overwritten by a new entry on a different port.
Lost on switch reload unless saved in config (not typical).
Used for most end devices.
Static MAC Address Entry
Manually configured by administrator.
Does not age out.
Overrides dynamic learning; fixed to a specific port.
Persists in running and startup config.
Used for critical servers or security.
Mistake
The switch learns MAC addresses from the destination MAC field.
Correct
The switch learns from the source MAC address. The destination MAC is used only for forwarding decisions (lookup).
Candidates confuse the direction of learning because they focus on where the frame is going, not where it came from.
Mistake
A switch floods all frames when the MAC address table is empty.
Correct
Initially, the switch floods only unknown unicast frames. Broadcasts are always flooded, but known unicasts are forwarded directly once learned.
Learners think an empty table means all frames are flooded, but the switch still filters frames destined for the same port.
Mistake
The aging timer applies to static MAC entries.
Correct
Static MAC entries do not age out; they remain indefinitely until manually removed. Only dynamic entries age out.
The term 'aging timer' implies all entries age, but static entries are an exception.
Mistake
Clearing the MAC address table causes permanent loss of connectivity until the switch is rebooted.
Correct
The switch immediately re-learns MAC addresses from incoming frames. Connectivity is restored within seconds, with minimal flooding.
Candidates overestimate the impact of clearing the table; it is a common troubleshooting step that does not harm operations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default aging time is 300 seconds (5 minutes). This means a dynamically learned MAC address is removed from the table if no frame with that source MAC is received within 300 seconds. You can change it globally with 'mac address-table aging-time <seconds>' under global configuration mode. On the exam, remember the default is 300 seconds, not 30 or 600.
Yes, a switch learns from the source MAC address of any frame, including broadcasts. When a broadcast frame arrives, the switch records the source MAC and the incoming port. However, the destination MAC (broadcast) is not used for learning; it is always flooded. This is a common exam point.
Dynamic MAC addresses are learned automatically from incoming frames and age out after 300 seconds by default. Static MAC addresses are manually configured by an administrator and do not age out; they remain in the table until removed. Static entries are used for critical devices or to prevent MAC flooding attacks. Use 'mac address-table static' to configure.
Each VLAN maintains its own separate MAC address table. A MAC address learned in VLAN 10 is stored only in VLAN 10's table and is used for forwarding decisions only within VLAN 10. This isolation is why switches cannot forward frames between VLANs without a router or Layer 3 switch. On the exam, remember that VLANs create separate broadcast domains and separate MAC tables.
The command 'show mac address-table count' displays the total number of MAC addresses in the table, the maximum capacity, and the number of static and dynamic entries. Example output: 'Total Mac Addresses: 10, Max: 8192'. This is useful for monitoring CAM utilization.
Normally, no. A switch expects a MAC address to be reachable via only one port. If the same source MAC appears on a different port, the switch updates the entry to the new port. However, if you have configured an EtherChannel, the MAC address is associated with the port-channel interface, which bundles multiple physical ports. Also, port security can be configured to allow multiple MAC addresses on a port.
When the CAM table is full, the switch cannot learn new MAC addresses. It will then flood frames destined for unknown MAC addresses out all ports (except the incoming port). This can cause increased broadcast traffic and potential performance degradation. To prevent this, monitor the table size and consider using switches with larger CAM capacity.
You've just covered MAC Address Table — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?