Basic Switching and MAC Learning

How a Switch Forwards Frames

A switch is a Layer 2 device that connects hosts inside one local network and forwards Ethernet frames using 48-bit MAC (Media Access Control) addresses written in hexadecimal, such as 00:1B:44:11:3A:B7. The first 24 bits are the OUI (Organizationally Unique Identifier) assigned to the vendor; the last 24 bits are unique per NIC. A switch never looks at the IP header to switch a frame — that is the router's job.

The switch keeps a MAC address table, stored in hardware called CAM (Content-Addressable Memory). Each entry maps one MAC address to one port and one VLAN. The switch builds it with three rules, sometimes summarized as learn, forward/flood, age.

Learning the table

Every time a frame enters a port, the switch reads the source MAC and writes (or refreshes) an entry: this MAC lives on this ingress port in this VLAN. If a frame from 00:11:22:33:44:55 arrives on port Gi0/3 in VLAN 10, the switch records 00:11:22:33:44:55 -> Gi0/3, VLAN 10. Learning is driven entirely by source addresses; the destination is used only to decide where to send.

The four forwarding outcomes

Flooding is normal, not a fault. When the destination replies, its source MAC is learned and future frames become known unicast sent to one port only.

Aging, MAC Moves, and Symptoms

Entries are dynamic. The default aging timer on Cisco switches is 300 seconds (5 minutes): if no frame from a MAC is seen for 300 seconds, the entry is removed so a moved or sleeping device does not leave stale data. When a laptop is unplugged from port 5 and plugged into port 9, the switch relearns the MAC on port 9 the moment it sends a frame.

Rapid, repeated relearning between two ports is a MAC flap and is abnormal. Common causes:

• A Layer 2 loop (two switches cabled together twice with no Spanning Tree).
• A duplicate MAC, or two hosts mistakenly sharing one address.
• A virtual machine moving between hosts.

A loop is dangerous because broadcasts circulate forever, creating a broadcast storm that saturates links and CPU. Spanning Tree Protocol prevents this by blocking redundant paths, but loop symptoms (all LEDs blinking in unison, total LAN slowdown) are something a CCST tech must recognize and escalate.

Port security

An engineer may enable port security to limit which MAC addresses a port accepts. A violation can put the port into err-disabled state, so a user reports "my port is dead" even though the cable is fine. The tech should note the switch, port, and the host MAC, then escalate rather than re-enable it blindly.

What to collect

When a ticket reaches you, gather: the host MAC address, the switch and port, the VLAN, link status, recent moves, and whether neighboring devices on the same switch are affected. A switch learns from where traffic comes from and forwards based on where traffic is going; the table is local to that switch and scoped per VLAN. Switching does not replace IP, DNS, DHCP, or routing — it simply delivers frames efficiently across the local segment.

Common traps

• Confusing the Ethernet broadcast ff:ff:ff:ff:ff:ff with the IPv4 broadcast 255.255.255.255 — one is a MAC, one is an IP.
• Assuming flooding means a broken switch; unknown unicast flooding is by design.
• Thinking the switch routes between subnets — it does not unless it is a Layer 3 switch.

Worked Example and Exam Framing

Walk through a concrete sequence on a brand-new switch with an empty CAM table. Host A (00:AA) on port 1 wants to reach Host B (00:BB) on port 2; both are in VLAN 10. A sends a frame to 00:BB. The switch reads the source 00:AA, records 00:AA -> port 1, VLAN 10, then looks up the destination 00:BB, finds nothing, and floods the frame out every other VLAN-10 port. B receives it and replies to 00:AA. The switch now reads B's source, records 00:BB -> port 2, VLAN 10, looks up 00:AA, finds it on port 1, and forwards the reply to port 1 only.

From this point both directions are known unicast sent to a single port — flooding occurred just once, on the first frame.

Half-duplex versus full-duplex

Modern switched links run full-duplex: each port is its own collision domain, so a device can send and receive at the same time and there are no collisions. A duplex mismatch (one side full, the other half) produces late collisions, CRC errors, and painfully slow throughput while the link still shows 'up'. This is a frequent CCST symptom: connectivity exists but performance is terrible. The fix is to set both ends the same or let both auto-negotiate.

Switch versus hub

A legacy hub is a Layer 1 repeater: it copies every bit out every port, so all ports share one collision domain and one bandwidth pool. A switch creates a separate collision domain per port and forwards selectively. Both, however, keep all ports in one broadcast domain unless VLANs divide them — only a router or VLAN boundary breaks a broadcast domain.

Exam framing

The 100-150 CCST Networking exam (50 minutes, with a question count Cisco says varies by exam form) tests that you can describe this behavior and recognize symptoms, not configure a switch. Expect questions that hand you a symptom — flooding, a dead port, a MAC flap — and ask for the most likely cause or the next data to collect.