Switching Frame Decision – To Filter, Flood, or Forward as the MAC table is built, and a brief look at Layer 2 history!

Layer2 Switch

Lets start from the verrrrry beginning of Switching time, when Dinosaurs roamed the internet.

First came the Hub (and Bridge) that acted as one single Collision and Broadcast domain, so all nodes on the network used essentially a shared medium, which was made possible by something called CSMA/CD.

What is CSMA/CD? I’m glad you asked. Carrier Sense Multi-Access Collision Detection.

In English that means each node “listened” to its cable or ‘wire’ for any other nodes transmitting data, because they all used one shared media via the Hub, so only one Node on the network could transmit data at one time which lead to Data Collisions.

(Please excuse the past tense)

When a Data Collision occurred or was sensed by a change in voltage on the line, all nodes would produce a Jam signal on the ‘line’ and invoke a random backoff timer before attempting to transmit data again, which with being random it wasn’t very likely that two timers would be the same and collisions would continue.

This is what CSMA/CD did, it was an algorithm you might say to detect data transmission, and backoff when collisions occurred on the shared medium (wire).

However, times have changed, and the only place you will hopefully see a Hub is on your CCNP SWITCH exam as a gotcha, which you will now be prepared for!


I agree, lets shift gears, because Switching introduced a mega change to Data Transmission. I’d like to break this up in bullet points so they really stand out:

  • Every port on a switch is considered its own separate Collision Domain
  • By default, all ports of a Switch are in the same Broadcast domain
  • VLAN’s are used to break up Broadcast Domains, but that is for later
  • Bandwidth increased theoretically to 200 mbps (100 up / down)

I am going to break this down so it is straight forward on how the MAC address table is built, and how this leads to the decision by the switch to either flood / filter / forward a frame that it receives.

Lets say a brand new switch is plugged into PC A and PC B, with mac addresses of aaaa.aaaa.aaaa and bbbb.bbbb.bbbb, and neither of those are in its MAC table yet because neither PC has transmitted Data.

So PC A sends a ping over to PC B, and upon receiving the Frame, the switches very first action is to look at the source MAC address first to see if it has it in its MAC table. If it does not have an entry, it will put aaaa…. MAC in it’s table and continue onto where the decision begins to happen.

Now the switch will look up the destination MAC of bbbb…. to see if it is in it’s MAC table, which in this scenario again it is not, because PC B has sent no data! So the Switch will flood the Frame out of every port on the switch EXCEPT THE PORT THE FRAME CAME IN ON, so every node connected to it will get a copy of that Frame, and the node with the corresponding Destination MAC will respond back to the Switch.

Upon receiving the Frame back from PC B, it will again look at it’s MAC table, and not find an entry for bbbb…. so it will add the MAC address and then look at the destination and see aaaa…. and now it will Forward the Frame to PC A.

So now the Switch knows the MAC address of PC A and B, so it will now Forward Frames between the two nodes, but if a PC C with a MAC of cccc.cccc.cccc is added the Flood will occur again.

^ This is how the MAC address table is built, and this is very important to know. The Switch looks at the source MAC first, and if it does not have an entry in it’s MAC table for that MAC address to that port, it creates an entry and this is how the table is built!

The final decision to Filter a Frame, is if it receives a Frame with a matching MAC address on a port that it has an entry for in its MAC table.

So if PC A and B are plugged into a Hub that is plugged into an upstream switch, and PC A sends data to PC B, the Switch will show them off the same port number (because the Hub is a shared medium) and drop or Filter the Frame.

A couple important things to note:

  • A flooded frame is called an “unknown unicast frame”, as even though it’s being flooded, it is still a single source to a single destination hence Unicast
  • A MAC address with all F’s is a Broadcast Frame, intended for all hosts
  • Multicast Frames have a range of 0100.5e00.0000 – 0100.5e7f.ffff (good luck remembering that) I’d say try to remember the last hextets of first ending set being 0000 and the second last set being ffff
  • The correct syntax for IOS 12.2x to view the MAC table is “sh mac address-table”, older versions of IOS use “sh mac-address-table” with 3 hyphens but it seems IOS 12.2 and forward only uses 2 hyphens, so do not let that trip you up!

And that wraps up the beginning to the next journey in the struggle for CCNP Status, and really just a review of CCNA level topics that I haven’t looked at for quite some time.

So, here we go again! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s