MAC Address Table – Comprehensive Guide

1. What is a MAC Address Table?

The MAC Address Table (also called CAM Table – Content Addressable Memory Table) is a database switches use to map MAC addresses to physical switch ports and VLANs.
Purpose: Enables efficient Layer 2 frame forwarding by letting the switch know exactly which port a frame should go to, instead of broadcasting it everywhere.

2. Role in Layer 2 Switching

At Layer 2, switches use the MAC table to forward frames only to the port where the destination device is connected. This improves bandwidth use and reduces unnecessary traffic, unlike a hub which floods traffic to all ports.

3. How MAC Addresses are Learned

When a frame arrives, the switch records the source MAC address, port, and VLAN in the MAC table.
Most entries are dynamically learned from real network traffic.
Static MACs can be configured by admins for critical devices.

Example:

MAC: AA-AA-AA-AA-AA-AA | Port: 1 | VLAN: 10 | Type: Dynamic

4. MAC Address Table Structure

Field	Description
MAC Address	Device's hardware (Layer 2) address
Port	Physical switch port (e.g., Fa0/1)
VLAN	VLAN membership (e.g., 10)
Type	Dynamic or Static

Table Size: Limited by hardware (e.g., 8,192 entries). Exceeding this may cause MAC flooding (see below).

5. Aging and Timeout

Dynamically learned entries have an aging timer (default 300s typical). If not seen in that time, the entry is removed.
Static entries do not age out—must be manually deleted.

6. Static vs. Dynamic MAC Addresses

Aspect	Dynamic	Static
Learning	Automatic (from traffic)	Manual (admin-configured)
Aging	Yes	No
Use Cases	Standard hosts/devices	Critical devices, security

Cisco Example:

switch(config)# mac address-table static AA-AA-AA-AA-AA-AA vlan 10 interface fastEthernet 0/1

7. MAC Table Lookup Process

If destination MAC found: frame forwarded to correct port(s).
If not found: switch floods the frame to all ports in that VLAN except source.

8. VLAN and MAC Address Table

Each VLAN has a separate MAC address table context.
The same MAC may appear on different VLANs with different ports.

Prevents inter-VLAN frame leakage.

9. MAC Address Table Overflow

Overflow Symptoms: Switch begins flooding all unknown traffic (acts like a hub).
Security risk: Attackers can flood switch with fake MACs (MAC flooding attack).

Prevention: Use Port Security to limit learned MACs per port.

10. Viewing the MAC Address Table

show mac address-table
show mac-address-table

Sample Output:

VLAN  MAC Address        Type     Ports
----  ---------------   -------  -----
 10   AA-AA-AA-AA-AA-AA DYNAMIC  Fa0/1
 20   BB-BB-BB-BB-BB-BB STATIC   Fa0/2

11. Aging Time Configuration

switch(config)# mac address-table aging-time 600

Short aging causes more flooding; long aging can delay removal of unused MACs.

12. MAC Address Table and Switchport Security

Port Security: Restricts number of allowed MACs per port.
Actions on violation: Shutdown, Restrict, Protect.
Sticky MAC: Dynamically learned MACs are saved as static.

switch(config-if)# switchport port-security
switch(config-if)# switchport port-security mac-address sticky

13. MAC Address Table in Multi-Switch Environments

Trunk ports: MACs are learned and shared across switches.
Spanning Tree: May block ports, affecting MAC learning.
EtherChannel: Multiple links act as one; MACs mapped to port-channel.

14. Troubleshooting MAC Address Issues

Problem	Cause	Solution
Incorrect MAC learning	Network loops, trunk misconfiguration	Check VLAN/trunk/STP config
MAC Flapping	Same MAC on multiple ports	Investigate for loops or moving devices

Use these commands:

show mac address-table
show interfaces status
show spanning-tree

📑 Summary Table

Field	Description
MAC Address	Device hardware address (e.g., 00-1A-2B-3C-4D-5E)
Port	Switch port (e.g., Fa0/1)
VLAN	VLAN membership (e.g., 10)
Type	Dynamic or Static
Age	Time since last activity

🧑‍💻 When and Why to Use MAC Address Tables

Switch forwarding decisions in Layer 2 environments
Troubleshooting device connectivity, loops, or broadcast storms
Security: Limit access by MAC (Port Security)
Monitor for overflow or abnormal behavior

📘 Example Scenario

PC1: MAC 00:11:22:33:44:55 on Fa0/1 VLAN 10
PC2: MAC 00:11:22:33:44:66 on Fa0/2 VLAN 10
When PC1 sends a frame, switch learns its MAC and port. When PC2 replies, switch learns its MAC and port. Afterwards, unicast frames are sent only to the correct port (no flooding).

MAC Address Table Quiz

1. What is the primary purpose of a MAC Address Table in a switch?

A. Store IP addresses for routing B. Assign VLAN IDs to hosts C. Map MAC addresses to physical ports for efficient frame forwarding D. Manage switch power consumption

Correct answer is C. The MAC Address Table maps MAC addresses to switch ports, allowing targeted frame forwarding.

2. How are MAC addresses usually learned by a switch?

A. Dynamically from source MAC addresses of incoming frames B. By manual static configuration only C. Through DHCP server responses D. By ARP broadcasts

Correct answer is A. Switches learn MAC addresses dynamically by reading the source MAC in frames arriving on ports.

3. What happens if a switch does not find a destination MAC address in its MAC table?

A. Drops the frame immediately B. Sends a broadcast ARP request C. Forwards the frame to the default gateway D. Floods the frame out all ports in the VLAN except the source port

Correct answer is D. The switch floods unknown destination frames to all ports within the VLAN to find the recipient.

4. What is the difference between dynamic and static MAC address entries?

A. Dynamic MACs are manually configured, static MACs are learned automatically B. Dynamic MACs are learned automatically and age out; static MACs are manually configured and persistent C. Static MACs apply only to wireless devices D. Static MACs age out after timeout, dynamic MACs do not

Correct answer is B. Dynamic MACs are learned and expire after inactivity; static MACs remain until manually removed.

5. What is the default aging time for dynamically learned MAC addresses on many switches?

A. 300 seconds (5 minutes) B. 60 seconds C. 120 seconds D. 600 seconds (10 minutes)

Correct answer is A. The default aging timer for dynamic MAC entries is typically 300 seconds.

6. What is a common symptom of MAC Address Table overflow?

A. Switch powers off B. Devices lose IP addresses C. Switch floods traffic to all ports, causing network slowdown D. Switch disables spanning tree

Correct answer is C. Overflow causes the switch to flood frames to all ports, degrading network performance.

7. How does port security help prevent MAC address table overflow attacks?

A. It disables unused switch ports B. It assigns static IP addresses C. It blocks ARP requests from unknown hosts D. Limits the number of MAC addresses allowed per port and can take action on violations

Correct answer is D. Port security restricts MAC addresses on a port, preventing flooding attacks by limiting entries.

8. What command shows the current MAC address table on a Cisco switch?

A. show ip route B. show mac address-table C. show interfaces status D. show running-config

Correct answer is B. The command "show mac address-table" displays learned MAC addresses and associated ports.

9. What does the “sticky” MAC address feature do?

A. Learns MAC addresses dynamically and saves them as static entries B. Disables MAC address learning on a port C. Automatically ages out static MAC addresses D. Blocks MAC addresses not in a predefined list

Correct answer is A. Sticky MAC lets the switch dynamically learn MACs and convert them to static entries to persist after reboot.

10. In multi-switch environments, how are MAC addresses learned across VLAN trunks?

A. They are not shared between switches B. MACs are manually configured on all switches C. Learned and propagated dynamically via trunk ports D. Only static MACs are shared

Correct answer is C. Switches learn and share MAC addresses dynamically across trunk links connecting VLANs.

← Back to Home