MAC Address Table Tutorial - Part 1: Building a MAC Address Table
1. Forward: Send the frame to the correct destination.
2. Filter: Drop the frame.
3. Flood: Send the frame to all ports except the one it arrived on.
Switches maintain a Layer 2 address table, commonly called a MAC (Media Access Control) address table. Every frame contains two 48-bit MAC addresses: one for the source and one for the destination. The switch first examines the source MAC address, which is used to build the MAC address table.
While it's possible to create a MAC address table with static entries, this approach has several issues in doing so:
- You'd need to manually add an entry for each host connected to the switch, which is prone to errors like forgetting or mistyping a MAC address. Entering MAC addresses manually on a Cisco switch is particularly error-prone.
- If a port goes down and a host is connected to a different port, the host won't have full connectivity until you update the MAC address table. Forgetting to remove the old static entry could cause issues when someone else connects to that port.
It's much more efficient to let the switch build the MAC address table dynamically. Doing so isn't laziness - it's smart. Worker smarter - not harder, as the saying goes. Dynamic processes are often more reliable and efficient than manual input.
Understanding how a switch behaves in different scenarios is a valuable skill to becoming an ethical hacker or network engineer. The following walkthroughs will show you how to build a MAC table on a switch and demonstrate the three frame forwarding actions. We'll begin with a simple network setup involving four hosts, a switch and a hub. While hubs aren't commonly used in modern networking these days, they do help to illustrate all possible frame forwarding actions, however.
Each host will use a letter-based MAC address (repeated 12 times). Don't worry if you're unfamiliar with the hexadecimal format of MAC addresses - we'll cover that at the end of this tutorial. For now, we'll focus on how the switch handles the frames in these scenarios.
Our walkthrough starts with the assumption that the switch has just been added to the network, which raises an important point. When a Cisco switch is first powered on, there will already be some static MAC table entries, all related to the CPU of the switch
To begin the walkthrough, Host A sends a frame to Host C. This frame passes through the hub and reaches the switch on the FastEthernet (Fa0/1) port.
The switch first examines the source MAC address of the incoming frame and checks its MAC table asking "Do I already have an entry for this MAC address?" Since the switch was just powered on, there are no entries for any hosts at this point. So, the switch adds an entry for the, marking it as source MAC address, marking it as "DYNAMIC," unlike the static CPU entries we saw when the switch was first powered on. To simplify this view, the static CPU entries will no longer appear in the output having been overwritten by an actual device MAC address entry.
Here's what the MAC address table looks like now:
At this point, the switch must make its first forwarding decision. The options are:
- Forward: Send the frame directly to the destination.
- Filter: Drop the frame.
- Flood: Send the frame to every port except the one it came in on.
Next, the switch will examine the destination MAC address and asks, "Do I have an entry for this address in my MAC table?" Since the destination MAC is not yet known, the answer is no. As a result, the switch floods the frame, sending a copy to every port except the one it arrived on. This scenario is called an Unknown Unicast Frame because it's a unicast (intended for a specific host), but the switch does not yet know which port leads to the destination host.
With this action, the switch is essentially saying, "I don't know which port leads to the destination MAC, so to be sure the frame reaches its destination, I'll send it everywhere - except back to the port it came in on." This approach ensures that the frame reaches the intended recipient, but it also means that every other connected host receives the frame too, which wastes bandwidth and switch resources. Now imagine this process with 64 hosts on the switch - the amount of flooding would be significant.
However, some frame flooding is inevitable when new hosts or switches are added to the network. This initial flooding is necessary as the switch builds its MAC address table. Over time, as the table gets populated, the need for flooding decreases, as we'll see when Host C responds to Host A.
Here, the switch receives the frame and checks its MAC table for the source MAC address (cc-cc-cc-cc-cc-cc). Since there's no entry for that source address, the switch automatically creates on. As a reminder, the switch always checks the source MAC address first before examining the destination address - this point can't be stressed enough.
Here's how our updated MAC address table looks now:
Now, the DYNAMIC entries come into play. The switch checks for the frame's destination MAC address (aa-aa-aa-aa-aa-aa). Since there's already an entry for that address, indicating it's reachable via port Fa0/1, the switch then forwards the frame directly to that port. No flooding is needed this time, thanks to the learned MAC address.
Now that the MAC table contains entries for both Host A and Host C, the switch can handle their communications more efficiently. When Host A responds to Host C, the switch already knows which port corresponds to Host C's MAC address (Fa0/2). Instead of flooding the frame as it did initially, the switch now forwards the frame directly to the connected port.
Here's what the MAC address table looks like now:
With both MAC addresses learned, the switch can now forward frames between Hosts A and C without unnecessary flooding, optimizing network performance.
Next, we'll explore how the switch handles frames when it has an entry for every host on the network. One of the ways the switch processes these frames might surprise you! Stay tuned for the next lesson in this Networking Fundamentals course, where we'll dive deeper into the switch's decision-making process and uncover some interesting behaviors you may not expect.
Rate This Article
Thanks for reading: MAC Address Table Tutorial - Part 1, Sorry, my English is bad:)