How Ethernet Switches Work: MAC Address Learning and Frame Forwarding

An Ethernet switch is a fundamental Layer 2 network device that enables efficient communication between devices on a local network. Unlike hubs, which broadcast all incoming traffic to every port, switches intelligently forward data only to the intended recipient by learning and storing MAC addresses in a CAM table. This process reduces network congestion, improves security, and optimizes performance—all while operating transparently to end users.

Key Points

Switches forward Ethernet frames based on MAC addresses, not IP addresses (Layer 2 operation).
MAC addresses are 48-bit hardware identifiers unique to each network interface.
The CAM table (or MAC address table) dynamically maps MAC addresses to switch ports.
Flooding occurs when a switch doesn’t know the destination MAC, sending the frame to all ports except the source.
Unicast forwarding happens when the destination MAC is known, sending the frame only to the correct port.

How Ethernet Switches Operate

Core Functionality

A switch connects multiple devices (e.g., PCs, printers, servers) on a local area network (LAN) and forwards Ethernet frames between them. Its primary tasks are:

Learning: Recording source MAC addresses and their associated ports.
Forwarding: Sending frames only to the port where the destination device is connected.
Filtering: Preventing unnecessary traffic by not forwarding frames to irrelevant ports.

Key Insight: Switches eliminate collisions (a problem in hub-based networks) by creating dedicated communication paths between devices.

MAC Address Learning Process

Switches build their CAM table dynamically by inspecting the source MAC address of incoming frames. Here’s how it works:

Step-by-Step Example

Initial State: The CAM table is empty.

| MAC Address | Switch Port |
|-------------|-------------|
| (empty)     | (empty)     |

PC A Sends Data to PC B:
- Frame: Source MAC = AA:AA:AA, Destination MAC = BB:BB:BB.
- Switch Action:
  - Learns: Records AA:AA:AA → Ethernet 0/1 in the CAM table.
  - Forwards: Since BB:BB:BB is unknown, the switch floods the frame to all ports except Ethernet 0/1.
PC B Replies to PC A:
- Frame: Source MAC = BB:BB:BB, Destination MAC = AA:AA:AA.
- Switch Action:
  - Learns: Adds BB:BB:BB → Ethernet 0/2 to the CAM table.
  - Forwards: Sends the frame only to Ethernet 0/1 (unicast).

Updated CAM Table:

| MAC Address | Switch Port  |
|-------------|--------------|
| AA:AA:AA    | Ethernet 0/1 |
| BB:BB:BB    | Ethernet 0/2 |

Unicast vs. Flooding

Behavior	When It Happens	Impact
Unicast	Destination MAC is in the CAM table.	Efficient; frame sent to one port only.
Flooding	Destination MAC is not in the CAM table.	Inefficient; frame sent to all ports except source.

Note: Flooding is normal but temporary. Once the switch learns all MAC addresses, traffic becomes unicast.

Network Diagram Representation

Switches are typically depicted in network diagrams as:

    +---------+
    | Switch  |
    | ⇄       |  ← Bidirectional arrows indicate traffic flow
    +----+----+
         |
   ---------------
   |     |       |
Eth0/1 Eth0/2  Eth0/3
   |     |       |
 PC A  PC B    PC C

Common Misconceptions

❌ "Switches know all MAC addresses upfront." → Switches learn MAC addresses dynamically from incoming frames.
❌ "Flooding is the same as broadcasting." → Flooding is limited to a single switch; broadcasting sends frames to all devices on a network (e.g., ARP requests).
❌ "Switches operate at Layer 3." → Switches are Layer 2 devices. Routers operate at Layer 3.
❌ "Destination MAC addresses are used for learning." → Only source MAC addresses are recorded in the CAM table.

Practical Applications

Home Networks:
- Your Wi-Fi router includes a built-in switch to connect wired devices (e.g., smart TVs, gaming consoles).
- The first time your laptop communicates with a printer, the switch floods the frame. Subsequent prints are unicast.
Enterprise Networks:
- Large offices use managed switches to segment traffic (e.g., separating HR and Finance departments).
- VLANs (Virtual LANs) extend switch functionality by logically grouping devices.
Security:
- Switches limit eavesdropping by sending frames only to the intended port.
- MAC address spoofing can exploit CAM tables, so port security features are used to restrict device access.

Troubleshooting Tips

Issue: Devices can’t communicate after connecting to a switch.
- Check: Is the CAM table populated? Use show mac address-table (Cisco) or show mac-address (Juniper).
- Fix: Verify cables, port status, and MAC address conflicts.
Issue: Excessive flooding.
- Check: Are there loops in the network? Use Spanning Tree Protocol (STP) to prevent broadcast storms.
- Fix: Ensure all switches support STP or RSTP.

Learn More

Advanced Topics

Spanning Tree Protocol (STP): Prevents loops in redundant switch topologies.
VLANs: Logically segment a network into isolated broadcast domains.
Switch Stacking: Combine multiple switches into a single logical unit for scalability.
MAC Address Aging: How switches remove stale entries from the CAM table (default timeout: 300 seconds).

Commands to Explore

Vendor	Command	Purpose
Cisco	`show mac address-table`	View the CAM table.
Cisco	`clear mac address-table dynamic`	Clear learned MAC addresses.
Juniper	`show ethernet-switching table`	Display MAC address entries.
Linux	`bridge fdb show`	Inspect forwarding database entries.

Quick Summary

Switches learn MAC addresses from source addresses in incoming frames.
The CAM table maps MAC addresses to ports for efficient forwarding.
Flooding occurs for unknown destinations; unicast for known ones.
Switches operate at Layer 2 (Data Link) and do not modify frames.
Proper switch configuration improves performance, security, and scalability.

References

IEEE 802.3: Ethernet Standard
IEEE 802.1D: MAC Bridging (Spanning Tree Protocol)
Cisco Networking Academy: Switching Fundamentals
IETF RFC 894: Ethernet Encapsulation
Computer Networking: A Top-Down Approach (Kurose & Ross)