1.9 Switching Concepts

The MAC address table (CAM table)

A switch's MAC address table, stored in content-addressable memory (CAM), maps each known MAC address to the switch port and VLAN where it lives. This table is the heart of Layer 2 forwarding. You can view it with show mac address-table on Cisco IOS.

The three forwarding behaviors

For every frame, a switch does exactly one of three things:

1. Forward (known unicast): the destination MAC is in the table, so the frame is sent only out the mapped port.
2. Flood (unknown unicast, broadcast, unknown multicast): the destination is not known (or is a broadcast), so the frame goes out every port in the VLAN except the ingress port.
3. Filter: if the destination is on the same port the frame arrived on, the switch drops it, no need to send it back.

How learning works (step by step)

The switch reads the source MAC of every inbound frame and records source-MAC + ingress-port + VLAN in the CAM table. Forwarding decisions use the destination MAC.

Worked example

PC-A (MAC aaaa) on port Fa0/1 sends to PC-B (MAC bbbb) on port Fa0/2, and the table is empty:

1. Switch learns aaaa is on Fa0/1.
2. bbbb is unknown, so it floods the frame out all other ports.
3. PC-B replies; the switch now learns bbbb is on Fa0/2.
4. All future A-to-B frames are forwarded only to Fa0/2, no flooding.

Aging

To keep the table current, Cisco switches age out a MAC entry after 300 seconds (5 minutes) of no frames from that address. Moving a device to a new port updates the entry as soon as it transmits.

Switching methods

• Store-and-forward: receives the entire frame, runs an FCS error check, then forwards, this is the Cisco default and catches corrupt frames.
• Cut-through: forwards as soon as it reads the destination MAC, lower latency but forwards errors.
• Fragment-free: reads the first 64 bytes (the collision window) before forwarding, a compromise.

Collision and broadcast domains

Each switch port is its own collision domain (full-duplex eliminates collisions entirely on that link). All ports share one broadcast domain per VLAN, so a 48-port switch with 4 VLANs has 4 broadcast domains and 48 collision domains. Only a router or a separate VLAN breaks up a broadcast domain.

MAC address format

A MAC address is 48 bits, written as 12 hex digits (e.g., 00:1A:2B:3C:4D:5E). The first 24 bits are the OUI (organizationally unique identifier) assigned to the vendor; the last 24 bits are the device serial. A destination of FF:FF:FF:FF:FF:FF is the broadcast address, and addresses beginning with 01:00:5E are IPv4 multicast. Recognizing these patterns tells you instantly whether a frame will be forwarded, flooded, or treated as broadcast.

Duplex, speed, and why collisions vanished

Modern switched links run full-duplex, sending and receiving simultaneously, which means a properly configured switched port has no collisions at all and does not need CSMA/CD (the old half-duplex collision-detection method of hubs). A duplex mismatch (one side full, one side half) is a classic fault that causes late collisions, CRC errors, and terrible throughput, the exam loves it as a troubleshooting symptom. Always let both ends auto-negotiate or hard-set both identically.

VLANs and broadcast containment

A VLAN (virtual LAN) logically segments one physical switch into multiple broadcast domains. Hosts in VLAN 10 cannot reach hosts in VLAN 20 without a router or Layer 3 switch, even on the same physical switch. This is why adding VLANs increases broadcast domains while adding ports only adds collision domains. Containing broadcasts with VLANs improves performance and security and sets up the inter-VLAN routing topics in later chapters.

Verification commands

On Cisco IOS you confirm switching behavior with:

• show mac address-table to see learned MAC-to-port mappings.
• show mac address-table aging-time to confirm the 300-second default.
• show interfaces status to check speed, duplex, and VLAN per port.

A frame whose destination still floods after the destination has spoken usually means the entry aged out or the device went silent, reading the table tells you which.

Common traps

• Switches learn from the source MAC but forward based on the destination MAC, do not swap these.
• An unknown unicast is flooded, not dropped.
• The default aging time is 300 seconds, not 30 or 3600.
• Adding VLANs, not adding ports, is what increases broadcast domains.
• A duplex mismatch silently kills performance; suspect it when you see CRC/late-collision errors.

Frame flooding and its consequences

Excessive flooding hurts performance, so understand what triggers it. Unknown unicast flooding is normal and brief, it stops the instant the destination replies and is learned. But a MAC flooding attack deliberately fills the CAM table with bogus addresses so legitimate entries cannot be stored, forcing the switch to flood everything and letting an attacker capture traffic. The defense is port security, which limits how many MAC addresses a port may learn and can shut the port on violation. This connects directly to later security chapters.

Why switching beats hubs

A hub is a single shared collision domain: only one device transmits at a time and collisions are common under load. A switch gives every port its own collision domain and full-duplex operation, so two devices can transmit simultaneously with zero collisions. The practical result is that a 24-port switch offers 24 simultaneous conversations where a 24-port hub offers effectively one. Microsegmentation, one device per collision domain, is the core reason switches replaced hubs and is a frequent conceptual exam question. Combined with VLANs for broadcast control, switching delivers both performance and segmentation that hubs never could.