show mac address-table – Mastering MAC-to-Port Mappings

Purpose of `show mac address-table` Command

Definition: The show mac address-table command displays the current table mapping MAC addresses to switch ports/interfaces on Cisco switches.
Role:

Switches use the MAC (CAM) table to forward frames to the correct destination port at Layer 2.
Without this table, switches would broadcast frames out all ports, causing inefficiency and security risks.

Understanding Command Output Fields

Sample Output:

Switch# show mac address-table

          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       ----        -----
   1    0001.63ab.cd22    DYNAMIC     Gi0/1
  10    0050.56be.325c    STATIC      Gi0/2
  20    0090.abcd.1234    SECURE      Gi0/10
 100    aabb.ccdd.eeff    DYNAMIC     Gi0/24

Field	Description
VLAN	The VLAN ID the MAC address belongs to
MAC Address	Unique hardware (Layer 2) address (e.g., 0001.63ab.cd22)
Type	How the address was learned (DYNAMIC, STATIC, SECURE)
Ports	The physical port/interface where the MAC was detected

Types of MAC Address Table Entries

Dynamic: Learned automatically by the switch from incoming frames (most common).
Static: Manually configured and permanent (do not age out).
Secure: Learned or set with port security enabled, often with restrictions.

Note: Use static and secure MACs for critical infrastructure or high-security ports.

MAC Address Table Aging and Management

Aging Timer: Dynamic entries age out after a period of inactivity (default: 300 seconds on Cisco).
Show current aging time: show mac address-table aging-time
Clear dynamic entries: clear mac address-table dynamic

Filtering and Display Options

Filter	Example Command
By VLAN	`show mac address-table vlan 10`
By Interface	`show mac address-table interface Gi0/2`
By MAC Address	`show mac address-table address 0001.63ab.cd22`

Combine filters for focused troubleshooting (e.g., by VLAN and interface).

Interpreting the MAC Address Table for Troubleshooting

Situation	What to Check / Interpretation
Unknown MAC addresses	May indicate unauthorized or rogue devices, or newly connected hosts
MAC flooding (sudden, many new entries)	Could be a MAC flooding attack; review port security and logs
MAC flapping (same MAC on multiple ports)	May indicate network loop or port misconfiguration
No MAC for expected device	Device offline, bad cable, port shutdown, or device not sending frames
Table overflow	Switch memory full; unknown frames are flooded, impacting performance and security

Tip: Always check for flapping, flooding, or unauthorized MACs in critical VLANs.

MAC Address Table Size and Hardware Limits

Switches have finite memory (e.g., 8K, 32K MAC addresses); check device specs.
If table overflows, unknown unicast traffic is flooded—can cause network problems and risks.

Static vs. Dynamic Entries and Security Impact

Static: Fixed and reliable for important servers/devices; combine with port security for high assurance.
Dynamic: Best for end-user devices; aged out if inactive.
Port Security: Use to limit number of MACs per port and to lock down access.

VLANs, Trunk Ports, and MAC Tables

Each VLAN has a separate MAC address table.
The same MAC address can appear in multiple VLANs on different ports.
Trunk ports may list many MAC addresses (from multiple VLANs).
Access ports typically have one or a few MACs (end devices).

Sample Output – Multi-VLAN Environment:

Vlan    Mac Address       Type        Ports
----    -----------       ----        -----
  10    00A1.B2C3.D4E5    DYNAMIC     Gi0/12
  20    0050.56BE.325C    DYNAMIC     Gi0/12
  20    00F6.12AB.3456    DYNAMIC     Gi0/15

Interpretation: Gi0/12 has MAC addresses from VLAN 10 and 20—possibly a trunk port, or port moved between VLANs.

Practice Scenario: Port Security and MAC Table

Check port security on a port:
```
Switch# show port-security interface GigabitEthernet0/12
```
Key output fields:
- Port Security: Enabled
- Port Status: Secure-shutdown
- Violation Mode: Shutdown
- Maximum MAC Addresses: 1
- Last Source Address: 00A1.B2C3.D4E5
Interpretation: More than one MAC detected—port shut down for violation.
Check MAC table for port:
```
Switch# show mac address-table interface GigabitEthernet0/12
```
Interpretation: Two MACs on one port—port security violation.

Remediate:

Switch# shutdown interface GigabitEthernet0/12
Switch# no shutdown interface GigabitEthernet0/12
Switch# clear mac address-table dynamic interface GigabitEthernet0/12

Verify again using port-security and mac address-table commands.

Best Practices for MAC Address Table Management

Regularly monitor for unknown, unexpected, or changing MAC entries.
Set port security on access ports to limit MACs learned (e.g., max 1 per user port).
Audit trunk ports for excessive MACs—may indicate improper device access.
Clear stale entries during troubleshooting.
Document static MAC assignments for critical infrastructure.

Key Related Commands

Command	Description
`show mac address-table`	Show all MAC entries and port mappings
`clear mac address-table dynamic`	Clear all dynamic entries
`show mac address-table vlan [ID]`	Show entries for a specific VLAN
`show mac address-table interface [int]`	Show entries for a specific interface
`show port-security interface [int]`	Show port security status and violations
`show mac address-table aging-time`	Show MAC table aging time

Exam & Practical Tips

Understand difference between DYNAMIC, STATIC, and SECURE MAC entries.
Use filtering (by VLAN, interface, MAC) for efficient troubleshooting.
Each VLAN maintains its own MAC address table—the same MAC can exist in different VLANs.
Detect and remediate MAC flooding, flapping, or unauthorized devices.
Be able to interpret port security violations and clear/restore ports as needed.
Always check for table overflow on large/busy switches.

Show MAC Address-Table Quiz

1. What does the `show mac address-table` command display?

A. IP address assignments B. VLAN configurations C. MAC address to port/interface mappings D. Routing table entries

Correct answer is C. This command shows the MAC addresses learned by the switch and their associated ports.

2. Which MAC address type is learned automatically by the switch?

A. Dynamic B. Static C. Secure D. Manual

Correct answer is A. Dynamic MAC addresses are learned from incoming frames automatically.

3. What happens when the MAC address table fills up?

A. Switch drops all incoming frames B. Switch blocks all ports C. Switch forwards frames to the default gateway only D. Switch floods unknown unicast frames to all ports

Correct answer is D. When the table is full, unknown unicast frames are flooded, which reduces performance and security.

4. What does MAC flapping indicate?

A. A device with multiple IP addresses B. Same MAC address appearing on multiple ports rapidly C. Port security violation D. Static MAC address assignment

Correct answer is B. MAC flapping happens when a MAC is learned on different ports in quick succession, often caused by network loops.

5. Which command shows the MAC addresses learned on a specific interface?

A. show mac address-table vlan [VLAN_ID] B. show interfaces trunk C. show mac address-table interface [interface_name] D. show mac address-table address [MAC_Address]

Correct answer is C. This command filters MAC entries on a specified interface.

6. What is the default aging time for dynamic MAC addresses on Cisco switches?

A. 300 seconds B. 60 seconds C. 600 seconds D. 900 seconds

Correct answer is A. The default MAC address aging timer is 300 seconds.

7. What is the function of static MAC addresses?

A. Learn automatically from incoming traffic B. Used only in trunk ports C. Assigned by DHCP server D. Manually configured and permanent entries that do not age out

Correct answer is D. Static MAC addresses are manually set and remain in the table permanently until removed.

8. In the port security scenario, what happens when more MAC addresses than allowed appear on a port?

A. The port continues to forward traffic normally B. The port can go into secure-shutdown mode, blocking traffic C. The switch reboots automatically D. The MAC addresses are ignored

Correct answer is B. Port security violation can cause the port to shut down to prevent unauthorized access.

9. Why might a MAC address appear on multiple ports in the MAC address table?

A. The device has multiple NICs B. The MAC address is spoofed C. Possible physical loop or misconfiguration causing MAC flapping D. Normal behavior for static MAC addresses

Correct answer is C. Multiple port entries for the same MAC usually indicate loops or misconfigurations causing flapping.

10. How can you clear all dynamically learned MAC address entries from a switch?

A. clear mac address-table dynamic B. clear ip route C. clear interface counters D. clear arp-cache

Correct answer is A. This command removes all dynamic MAC entries from the switch's MAC address table.

← Back to Home