linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
Intro
Lessons
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
home/linux/how/mac-learning

how/network

How a switch learns: MAC learning

A switch knows nothing at startup. In the first seconds of traffic it builds its own map, who is on which port, and stops flooding frames.

When you plug a new switch into the wall, it can switch, but it does not know who is connected to which ports. How does it start working the right way within a couple of seconds, no flooding, with targeted delivery?

The magic is the CAM table (Content-Addressable Memory). This is a table of MAC address ↔ port number that the switch learns by itself by watching the traffic passing through. Every incoming frame carries a source MAC, and the switch simply looks and records: "ah, this MAC lives on this port".

Press ▶ and watch an empty switch learn in 3 frames and go from "flood everything" mode to "targeted delivery".

step 1/5·00 · switch on, knows nothing
L2 switchp1p2p3p4host Aaa:aa:aa:11host Bbb:bb:bb:22host Ccc:cc:cc:33host Ddd:dd:dd:44CAM TABLE (MAC ↔ PORT)MAC ADDRESSPORTAGE(empty - switch ничего не знает)свитч включён, cam-таблица пуста - он не знает кто на каком порту

§ steps

  1. The switch just booted. The CAM table is empty. It can receive and send frames, but it does not know which MACs live on which ports.

    Any frame that arrives now will make it flood a copy to all ports, because the dst MAC is unknown to it.

recap

What matters to remember:

  • The switch learns only from the source MAC of incoming frames. It never learns from the destination MAC, because dst can be fake or a broadcast
  • If the destination MAC is unknown, the switch floods the frame to all ports except the incoming one (this is called unknown unicast flood). Do not confuse it with a broadcast (ff:ff:ff:ff:ff:ff). A broadcast is always flooded, it does not depend on the CAM
  • Entries age out (aging). Usually after 300 seconds without traffic an entry is deleted. On the next frame the switch learns again. This matters: otherwise, if a device moved between ports, it would become "unreachable"
  • MAC flooding attack: an attack on the switch where an attacker floods the CAM table until it overflows. The switch starts behaving like a hub, flooding all traffic to all ports. The defense is port security (limiting the number of MACs per port)
  • How the CAM table differs from the ARP table: the CAM lives in the switch and stores MAC ↔ port. ARP lives in the host and stores IP ↔ MAC. Different layers, different jobs

Related to arp (how a host learns a neighbor's MAC) and broadcast-domain (where the switch must flood).

§ dig into the knowledge base

  • mac-addressMAC address: what it is and why
  • arpARP: how a host finds a MAC
  • broadcast-domainbroadcast domain: where the switch works
  • ethernet-frameEthernet frame: the src/dst MAC fields
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies