What does a switch do if it receives a packet with unknown destination MAC address?

Please let me start by saying I am no network expert, I am a programmer who does a fair amount of L3/4 programming.

My question is that when a switch receives a packet with a destination MAC that is not found in its table arp table for whatever reason. What is the action performed? do they send an arp? send the packet on all output interfaces?

Falcon Momot

25k13 gold badges61 silver badges92 bronze badges

asked Mar 13, 2014 at 20:24

ARP resolves IP addresses to MAC addresses. Switches don't ARP for traffic sent from one host to another host. As such you wouldn't find an entry for the destination host in the switch's ARP table unless the switch itself is trying to communicate with that destination host.

What you're looking for is the switch's MAC address table, which is it's MAC address to port table, which tells the switch which MAC address is accessible via which port.

In the case where the switch's MAC address table doesn't have an entry for the destination host the switch will flood/forward the frame to all ports. Note that I didn't use the term broadcast as this is not a broadcast. Unicast traffic is flooded in this scenario, broadcast traffic is broadcasted.

answered Mar 13, 2014 at 21:08

What does a switch do if it receives a packet with unknown destination MAC address?

joeqwertyjoeqwerty

109k6 gold badges80 silver badges171 bronze badges

The frame is forwarded out all interfaces except the interface on which it was received. MAC addresses are added to the address table when the switch receives a frame from that address.

answered Mar 13, 2014 at 20:26

1

Switch is a layer 2 device so it doesn't look for IP addresses. as joeqwerty said ARP helps you get the destination MAC address based on the destination IP address. When a switch doesn't have a destination MAC address in it's table it sends the frame to all its ports except the one it received the frame from.

answered Jun 18, 2014 at 3:52

What is the default behavior of a Layer 2 switch when a frame with an unknown destination MAC address is received?

  • A. The Layer 2 switch forwards the packet and adds the destination MAC address to its MAC address table.
  • B. The Layer 2 switch sends a copy of a packet to CPU for destination MAC address learning.
  • C. The Layer 2 switch floods packets to all ports except the receiving port in the given VLAN.
  • D. The Layer 2 switch drops the received frame.

Show Suggested Answer Hide Answer

Suggested Answer: C 🗳️
If the destination MAC address is not in the CAM table (unknown destination MAC address), the switch sends the frame out all other ports that are in the same
VLAN as the received frame. This is called flooding. It does not flood the frame out the same port on which the frame was received.

Like this article? We recommend

A MAC address table, sometimes called a Content Addressable Memory (CAM) table, is used on Ethernet switches to determine where to forward traffic on a LAN. Now let's break this down a little bit to understand how the MAC address table is built and used by an Ethernet switch to help traffic move along the path to its destination. We will use the graphic in Figure 1.

Nội dung chính Show

  • An Overall View of Mac Address
  • MAC vs IP Address Relationship
  • What Do Switches Use Mac Address For?
  • How Do Switches Learn Mac Address?
  • How to Configure Your Switch Mac Address Table?

Figure 1 Basic switched network.

In Figure 1, a switch is surrounded by a number of common devices. Let's assume that all of the devices are powered on but have not sent any traffic. In this case, the MAC address table of the switch would be empty (ignoring any system MAC addresses shown in the table by default).

Now suppose PC1 wants to send traffic to the server that has a MAC address of 00:00:00:00:00:01. It would encapsulate an Ethernet frame and send it off toward the switch. The first thing the switch would do when receiving the traffic is create a new entry in its MAC address table for PC1's MAC address (PC1 -> Fa0/3). The switch would then perform a lookup on its MAC address table to determine whether it knows which port to send the traffic to; since no matching entries exist in the switch's tables, it would flood the frame out all of its interfaces (except the receiving port).

Because the frame was sent out to all of the switch's other ports, it would be received by the target server. Assuming that the server wants to respond to PC1, it would sent a new frame back toward the switch. The switch would receive the frame and create a new entry in its MAC address table for the server's MAC address (Server -> Fa0/2). It would then perform a lookup of its MAC address table to determine whether it knows which port to send the server's traffic to; in this case it does, so it sends the return traffic out only its Fa0/3 port (PC1), without flooding. Listing 1 shows what the MAC address table would look like at this point.

Listing 1—MAC address table example.

2960-1#show mac address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 00ld.70ab.5d60 DYNAMIC Fa0/2 1 00le.f724.al60 DYNAMIC Fa0/3 Total Mac Addresses for this criterion: 2 2960-1#

This process repeats as devices continue to send traffic to each other. An important detail to remember is that the MAC address table timeout is typically short (Cisco's default is five minutes), so an entry is left in the table itself only for that specified amount of time before the timeout expires and the entry is removed from the table.

Now we will move on to the question of how the devices get the destination MAC addresses to begin this process; in a word, ARP.

mac addressswitch

The CAM table cannot be populated with the source address so other action must be taken. Is the switch going to drop the packet?

Each network card has a unique identifier called a Media Access Control (MAC) address. This address is used in LANs for communication between devices on the same network segment. Devices that want to communicate need to know each other MAC addresses before sending out packets.

Switches also use MAC addresses to make accurate forwarding or filtering decision. When a switch receives a frame, it associates the media access control (MAC) address of the sending device with the port on which it was received. The table that stores such associations is called a MAC address table. This table is stored in the volatile memory, so associations are erased after the switch is rebooted.

Switches usually perform these three functions in a LAN:

  • address learning – switches learn MAC addresses by examining the source MAC address of each received frame.
  • forward/filter decisions – switches decide whether to forward or filter a frame, based on the destination MAC address.
  • loop avoidance – switches use Spanning Tree Protocol (STP) to prevent network loops while still permitting redundancy.

To better how a network switch works, take a look at the following example:

Let’s say that host A wants to communicate with host B for the first time. Host A knows the IP address of host B, but since this is the first time the two hosts communicate, the hardware (MAC) addresses are not known. Host A uses the ARP process to find out the MAC address of host B. The switch forwards the ARP request out all ports except the port the host A is connected to. Host B receives the ARP request and responds with its MAC address. Host B also learns the MAC address of host A (because host A sent its MAC address in the ARP request). Host C receives the ARP request, but doesn’t respond since the IP address listed in the request is not its own.

As mentioned above, a switch learns which MAC addresses are associated with which port by examining the source MAC address of each received frame. Because host B responded with the ARP reply that included its MAC address, the switch knows the MAC address of host B and stores that address in its MAC address table. For host A, the switch knows its MAC address because of the ARP request that included it.

Now, when host A sends a packet to host B, the switch looks up in its MAC address table and forwards the frame only out the Fa0/2 port – the port on which host B is connected to. Other hosts on the network will not be involved in the communication:

NOTE
By default, MAC addresses stay in the switch’s MAC address table for 5 minutes. So if host A and host B decide to communicate inside the next 5 minutes, a new ARP process will not be necessary.

You can display the MAC address table of the switch by using the show mac-address-table command:

Switch#show mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0003.e489.513e DYNAMIC Fa0/2 1 00e0.8f13.6970 DYNAMIC Fa0/1

The output is pretty much self-explanatory: all ports belong to VLAN 1 and MAC addresses associated with specific ports are listed. DYNAMIC means that the address were learned dynamically by using the source MAC address of the received frames.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:

You may have noticed that every piece of hardware on your local network has a MAC address in addition to the IP address. Except for switches which have switch MAC address, all devices that connected to the Internet have this unique identifying number, from desktop computers, laptops, cell phones, tablets to wireless security cameras, and even your connected refrigerator have a MAC address. So, why does your network devices need two addresses to connect to a network? Isn’t an IP address sufficient? What exactly is that MAC address for?

To put the MAC (Media Access Control) address in layman’s terms, you can think of the MAC address as your unique digital fingerprint, which is one of a kind in the world. A MAC Address is given by the manufacturer and it is embedded in the chip that allows your device to connect to a network. For a network switch, it is likely to have many MAC addresses, since one MAC address is assigned to every interface on the switch.

An Overall View of Mac Address

A MAC address, also known as “hardware address” or “physical address”, is a binary number used to uniquely identify computer network adapters. Packets that are sent on the Ethernet are always coming from a MAC address and sent to a MAC address. If a network adapter is receiving a packet, it is comparing the packet’s destination MAC address to the adapter’s own MAC address. If the addresses match, the packet is processed, otherwise it is discarded. Traditional MAC addresses are 12-digit hexadecimal numbers. The leftmost six hexadecimal digits of the address correspond to a manufacturer's unique identifier, while the rightmost six digits correspond to the serial number of the network interface card (NIC).

MAC vs IP Address Relationship

Initially it might seem that IP addresses and MAC addresses are redundant because both are unique identifiers of networked devices, but they actually serve different purposes, and are visible in very different ways. MAC operates at Layer 2 of the OSI model while IP operates at Layer 3.

MAC addresses are typically used only to direct packets from one device to the next device as data travels on a network. That means that the MAC address of your computer’s network adapter travels the network only until the next device along the way. If you have a router, then your machine’s MAC address will go no further than that. While when your computer wants to send a packet to some IP address x.x.x.x, then the first check is if the destination address is in the same IP network as the computer itself. If x.x.x.x is in the same network, then the destination IP can be reached directly, otherwise the packet needs to be sent to the configured router. So do you see what’s going on? The MAC address just gets the data packet to the next device but the IP address is responsible for getting it to the ultimate destination.

What Do Switches Use Mac Address For?

Switches are unlike hubs or repeaters. A hub simply rebroadcasts every signal on every port to every other port, which (while inefficient and slow) is easy to create. A switch, on the other hand, intelligently directs traffic between systems by routing packets only to their proper destination. To do this, it keeps track of the MAC addresses of the NICs plugged into each port. MAC addresses need to be unique or at least highly unlikely to be repeated for switches to identify different ports and devices, which is why manually setting a MAC address can have unexpected consequences in a switched network. Switches usually have a bunch of MAC addresses reserved in its MAC address table. When forwarding a frame, the switch first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast, so broadcasts are reduced.

How Do Switches Learn Mac Address?

Since a switch has some intelligence, it can build the MAC address table automatically. The following part will illustrate how a switch learns MAC addresses.

There’s a switch in the middle and we have 3 computers around. All computers have a MAC address but they are simplified as AAA, BBB, and CCC. The switch has a MAC address table and it will learn where all the MAC addresses are in the network. Now, assuming Computer A is going to send something to Computer B:

Computer A is going to send some data meant for computer B, thus it will create an Ethernet frame which has a source MAC address (AAA) and a destination MAC address (BBB). The switch has a MAC address table and here’s what will happen:

The switch will build a MAC address table and only learns from source MAC addresses. At this moment it just learned that the MAC address of computer A is on interface 1. It will now add this information in its MAC address table. But the switch currently has no information where computer B is located. There’s only one option left to flood this frame out of all its interfaces except the one where it came from. computer B and computer C will receive this Ethernet frame.

Since computer B sees its MAC address as the destination of this Ethernet frame it knows it’s meant for him, computer C will discard it. Computer B is going to respond to computer A, build an Ethernet frame and send it towards the switch. At this moment the switch will learn the MAC address of computer B. That’s the end of our story, the switch now knows both MAC addresses and the next time it can “switch” instead of flooding Ethernet frames. Computer C will never see any frames between Computer A and B except for the first one which was flooded. You can use the show mac address-table dynamic command to see all the MAC addresses that the switch has learned.

One other point worth emphasizing here is that the MAC address table on the switch uses an aging mechanism for dynamic entries. If the MAC address of Computer A and B are not updated within their aging time, they will be deleted to make room for new entries, which means the frames between computer A and B will be flooded to Computer C again if A wants to transfer information to B.

How to Configure Your Switch Mac Address Table?

A MAC address table is maintained for frame forwarding, which can be dynamically learned or manually configured. The former has been introduced in the previous text, and the next part will focus on how to configure the MAC addresses manually to adapt to network changes and enhance network security.

To improve port security, you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses, fending off MAC address spoofing attacks. In addition, you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.

To add or modify a static, dynamic, or blackhole MAC address table entry:

Step Command Remarks
1. Enter system view. system-view N/A
2. Add or modify a dynamic or static MAC address entry. mac-address { dynamic | static } mac-addressinterface interface-typeinterface-number vlan vlan-id Use either command.
3. Add or modify a blackhole MAC address entry. mac-address blackhole mac-address vlan vlan-id

You can configure a multi-port unicast MAC address table entry to associate a unicast MAC address with multiple ports, so that packets that match the entry is delivered to multiple destination ports.

To configure a multi-port unicast MAC address table entry:

Step Command Remarks
1. Enter system view. system-view N/A
2. Configure a multi-port unicast MAC address table entry. mac-address multiport mac-address interface interface-list vlanvlan-id No multi-port unicast MAC address table entries exist by default.
Make sure that you have created the VLAN and assign the interfaces to the VLAN.

The MAC address table on your switch uses an aging mechanism for dynamic entries, so dynamic MAC address entries that are not updated within their aging time are deleted to make room for new entries, and the MAC address table is promptly updated to accommodate the latest network changes.

To configure the aging timer for dynamic MAC address entries:

Step Command Remarks
1. Enter system view. system-view N/A
2. Configure the aging timer for dynamic MAC address entries. mac-address timer { agingseconds | no-aging } Optional. The value range of the aging timer is 10 to 3600 seconds and the default value is 300 seconds.

To prevent the MAC address table from getting so large that the forwarding performance of the switch degrades, you can limit the number of MAC addresses that can be learned on a port.

To configure the MAC learning limit on ports:

Step Command Remarks
1. Enter system view. system-view N/A
2.Enter Ethernet interface, port group, or Layer 2 aggregate interface view.

1. Enter Ethernet interface view: interface interface-type interface-number

2. Enter port group view: port-group manual port-group-name

3. Enter Layer 2 aggregate interface view: interface bridge-aggregationinterface-number

Use any command.
Settings in Ethernet interface view or Layer 2 aggregate interface view effect on the current port only. Settings in port group view take effect on all the member ports in the port group.
3.Configure the MAC learning limit on an interface, and configure whether frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached. mac-address max-mac-count { count | disable-forwarding } By default, the maximum number of MAC addresses that can be learned on an interface is not specified.

You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.

To configure the MAC learning limit on a VLAN:

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter VLAN view. vlanvlan-id N/A
3. Configure the MAC learning limit on a VLAN, and configure whether or not frames with unknown source MAC addresses can be forwarded in the VLAN when the upper limit is reached. mac-address max-mac-count { count| disable-forwarding } By default, the maximum number of MAC addresses that can be learned on a VLAN is not specified.
Task Command Remarks
1.Display MAC address table information. display mac-address [mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] Available in any view
2. Display the multi-port unicast MAC address table entries. display mac-address multiport [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] Available in any view
3. Display the aging timer for dynamic MAC address entries. display mac-address aging-time [ | { begin | exclude | include } regular-expression ] Available in any view

Summary

Admittedly, when it comes to MAC, men tend to think of the fantastic computer while women think of a thing of beauty. But when we hear the term “MAC Address”, now we know we are talking about an entirely different beast. Since MAC Addresses are unique to the network card and not reused, they are quite useful and important in applications. Network switches store a list of MAC addresses seen at every port and only forward packets to the ports that need to see the packet. Wireless access points often use MAC addresses for access control. They only allow access for known devices. Besides, DHCP (Dynamic host configuration protocol) servers use the MAC address to identify devices and give some devices fixed IP addresses.


What if a MAC address is unknown?

If the source MAC address for a packet is not known by the switch, then the switch will learn the MAC address and point it to the interface that the packet arrived on. If the destination MAC address is not known by a switch, then the packet will be flooded to all unblocked ports.

What happens when a switch receives a packet that has a destination MAC address the switch has not seen before?

If the destination MAC address is not in the table, the switch will forward the frame out all ports except the incoming port. This is known as an unknown unicast. If the destination MAC address is a broadcast or a multicast, the frame is also flooded out all ports except the incoming port.

What does a switch employ if it Cannot find the destination MAC address of the frame?

If the switch does not find the destination MAC address in its MAC address table in the VLAN to which the Frame belongs, it will "flood" the frame (i.e. it will forward the frame to each forwarding port in that VLAN except the port from which the frame was received).