Ethernet is the technology that connects almost every wired device in the world. Understanding how switches forward frames, build MAC address tables, and handle unknown traffic is foundational to every other switching topic on CCNA and Network+. More practically, the troubleshooting questions on both exams heavily test what happens when things go wrong at Layer 2: duplicate MAC addresses, duplex mismatches causing performance degradation, and the specific behavior of switches under flood conditions. If you know how a switch thinks, you know how to fix it when it misbehaves.
Practice this topic
Every network interface card has a burned-in 48-bit MAC address, written as six pairs of hexadecimal digits. The first three pairs identify the manufacturer (the Organizationally Unique Identifier). The last three are device-specific. MAC addresses operate at Layer 2 and are only relevant within a single network segment.
A switch builds its CAM table (Content Addressable Memory, also called the MAC address table) by reading the source MAC address of every incoming frame and recording which port it came from. The switch does not ask devices for their address. It learns passively. When a frame arrives for a destination MAC that the switch has already learned, the switch sends it only to the correct port. This is unicast forwarding and it is why switches are more efficient than hubs.
When a frame arrives for a MAC address not yet in the CAM table, the switch floods it out every port in the same VLAN except the port it arrived on. This is called unknown unicast flooding. Once the destination device responds, its MAC address is learned and future frames are forwarded directly. Broadcast frames with the destination FF:FF:FF:FF:FF:FF are always flooded, every time, to every port in the VLAN.
A collision domain is the segment where frames can collide if two devices transmit simultaneously. Every switch port creates its own collision domain, which is why switches eliminated the collision problems that plagued hub-based networks. All ports on a hub share one collision domain.
A broadcast domain is the set of devices that receive a Layer 2 broadcast. Switches do not break broadcast domains: every switch port in a VLAN is in the same broadcast domain. Routers do break broadcast domains: each router interface sits in its own broadcast domain. This is also why VLANs create separate broadcast domains on a switch, but routing is still required to pass traffic between them.
Full duplex allows simultaneous transmit and receive on a link, eliminating collisions entirely because each direction uses separate wire pairs. All modern switched links operate at full duplex. A duplex mismatch occurs when one side negotiates full duplex and the other is set to half duplex. The half-duplex side runs CSMA/CD and sees collisions on legitimate traffic. The full-duplex side sees late collisions in its counters. Both sides experience severe, hard-to-diagnose throughput degradation. Matching speed but mismatching duplex is one of the classic CCNA troubleshooting scenarios.
Count collision domains: every switch port is one collision domain. Every hub is one collision domain for all connected ports. Every router interface is one collision domain.
Count broadcast domains: every router interface = one broadcast domain. Every VLAN = one broadcast domain. Switches alone do not divide broadcast domains.
Duplex mismatch symptoms: one side set to half duplex, other to full duplex. Both sides show poor throughput. Half-duplex side shows collisions and runts. Full-duplex side shows late collisions. Fix: ensure both sides are set the same (auto-negotiate or manually configured).
Frame forwarding: known unicast = direct to port. Unknown unicast or broadcast = flood. Multicast = flood unless IGMP snooping is configured to restrict it.
| Attribute | Hub | Switch |
|---|---|---|
| OSI layer | Layer 1 | Layer 2 |
| Collision domains | One (all ports share) | One per port |
| Intelligence | None (repeats signal) | MAC table, forwards to correct port |
| Broadcast domain | One per hub | One per VLAN |
| Duplex | Half duplex | Full duplex |
Switches break broadcast domains.
Switches do not break broadcast domains by default. Every port on a switch in the same VLAN receives broadcasts. Only routers (or VLANs used as separate subnets with routing between them) break broadcast domains.
A speed mismatch causes the same symptoms as a duplex mismatch.
A speed mismatch (e.g., one port at 100 Mbps, the other at 1 Gbps) usually results in the link simply not coming up at all. A duplex mismatch is more insidious: the link appears to be up but performs terribly due to collisions on the half-duplex side.
Flooding frames is a sign the switch is malfunctioning.
Flooding unknown unicast frames is correct, expected switch behavior when the destination MAC is not in the CAM table. It only becomes a problem if it persists, which can indicate MAC table exhaustion from a CAM flooding attack.
These questions are representative of what you will see on CCNA, Network+ exams. The correct answer and explanation are shown immediately below each question.
A switch receives a frame with a destination MAC address it does not recognize in its CAM table. What does the switch do?
Explanation: When a switch receives a frame for an unknown destination MAC, it floods the frame out all ports in the same VLAN except the port it arrived on (unknown unicast flooding). This is correct, expected switch behavior — not a malfunction. When the destination device responds, its MAC is learned and future frames are forwarded directly. Switches don't drop unknown frames; only ACLs and other filters do.
Two workstations are connected to a switch. Workstation A is set to Full Duplex and Workstation B is set to Half Duplex, but both operate at 100 Mbps (speed matches). What is the likely outcome?
Explanation: A duplex mismatch (one half, one full duplex) at the same speed causes the link to come up but perform extremely poorly. The half-duplex side uses CSMA/CD and interprets the full-duplex side's simultaneous transmissions as collisions, causing retransmissions. The full-duplex side sees late collisions in its error counters. Neither side can detect and auto-correct this — it must be manually fixed.
How many collision domains and broadcast domains exist in a network of 5 hosts connected to a single unmanaged Layer 2 switch with no VLANs?
Explanation: Each switch port is its own collision domain (5 ports = 5 collision domains, each host can transmit freely without colliding with others). The entire switch without VLANs is one broadcast domain — broadcasts reach all 5 hosts. Routers and VLANs segment broadcast domains; switches only segment collision domains.
An attacker sends thousands of frames with random spoofed source MAC addresses to a switch. What attack is this and what is the effect?
Explanation: MAC flooding (also called CAM table overflow) fills the switch's MAC address table with fake entries until legitimate entries are evicted. With a full CAM table, the switch reverts to flooding all frames (like a hub), allowing the attacker to capture traffic not intended for their port. Port security limits this by restricting how many MAC addresses can be learned per port.
A host on a network segment uses an Ethernet broadcast frame. Which destination MAC address does this frame use?
Explanation: Ethernet broadcasts use FF:FF:FF:FF:FF:FF as the destination MAC address. Every device in the same VLAN receives and processes this frame. The switch floods it to all ports in the VLAN. Broadcasts are used for ARP requests (finding a MAC for a known IP), DHCP discovery, and certain routing protocol updates.
A MAC (Media Access Control) address is a 48-bit hardware address burned into every NIC, written as six pairs of hex digits (e.g., 00:1A:2B:3C:4D:5E). The first three pairs identify the manufacturer (OUI). Switches build a CAM (MAC address) table by reading the source MAC of every incoming frame and recording which port it came from. Known destinations are forwarded directly; unknown destinations are flooded.
A hub is a Layer 1 device that repeats electrical signals to every port — all ports share one collision domain, creating collisions under load. A switch is a Layer 2 device that reads MAC addresses and forwards frames only to the correct port — each port is its own collision domain. Switches also run full duplex (eliminating collisions), learn MAC addresses, and are more secure. Hubs are obsolete; switches replaced them entirely in modern networks.
A duplex mismatch occurs when one side of a link negotiates full duplex and the other negotiates half duplex. The link appears to be up at the correct speed, but throughput is terrible. The half-duplex side sees collisions on normal traffic. The full-duplex side logs late collisions. The connection works enough to appear functional but transfers data very slowly. Fix by ensuring both sides are either both set to auto-negotiate or both manually configured to the same speed and duplex.
CAM table overflow (MAC flooding attack) sends thousands of frames with fake source MAC addresses to fill the switch's MAC address table. When the table is full, legitimate MAC entries are evicted and the switch reverts to flooding all frames, allowing the attacker to capture traffic. Prevention: Port Security on Cisco switches limits the number of MAC addresses per port and the action taken when the limit is exceeded (restrict, shutdown, protect).
CCNA tests CAM table learning and unknown unicast flooding, broadcast vs unicast behavior, collision domains vs broadcast domains (switches vs routers), duplex mismatch symptoms, MAC flooding attacks and Port Security, and Frame forwarding decisions. Expect questions about counting collision and broadcast domains in network diagrams and identifying what a switch does when it sees an unknown destination MAC.
Try free Ethernet & Switching practice questions with explanations, topic links and progress tracking.