How does a switch learn MAC Addresses

@ReneMolenaar Why MAC address is required when we have IP address to communicate ? or Why IP address is required, can’t we communicate on the basis of MAC address only ?

Hello M M

The MAC and IP addresses are used together to allow network devices to communicate with each other. IP addresses allow the communication from end to end while MAC addresses are used within a specific subnet.

Think about it this way. If I was to give you my postal address, and I told you the number of my house on my street is 176, that would not give you enough information for you to find me. If you had already reached my street, then yes, you could find me with just that information.

The same is true of the MAC address. If I gave you the MAC address of my web server, you would not be able to reach it from your computer. But if I gave you my IP address, you would reach my network, and then using the MAC address (learned via ARP), you could communicate with the specific device on my network.

Remember that network communication functions in layers. The Network Layer is responsible for routing from end to end of a communication, and uses the IP protocol, while the Data link layer, where MAC addresses are used, is responsible for getting a frame to the appropriate device within a network segment.

It is indeed difficult to get your head around it especially if it is the first time you are going over these topics. It will take time, but I suggest you go over the following lessons which will help you understand more fully:

Also, take a look at the CCNA course linked below, and focus on Unit 2: Network fundamentals, which includes all of this information.

I hope this has been helpful!


Hi Laz,

I have a question here is that, can switch simultaneously learn multiple mac on single interface yes then how much at a time until aging timer expired ?

Hello Pradyumna

Yes, a switch can indeed learn multiple MAC addresses on a single port. For example, if you have two switches connected together, and you have 10 hosts connected to one switch, and 10 connected to the other, the ports connecting the two switches will register multiple MAC addresses in the MAC address table, whenever there is communication between hosts on each switch.

The ageing timer for MAC addresses remains the same (300 seconds by default) and is not affected by the number of MAC addresses that may register in the MAC address table on a particular interface.

I hope this has been helpful!


Thanks Laz clearly get it

Hi Dear,
In example explained by you in this lesson, you said a switch is a layer 2 device how a layer 2 device is utilizing layer 3 ICMP utility (Ping)? If its not L3/manageable switch?
Please Explain

Hello Ntlipcore

There are various concepts you mention in your post that require clarification in order to understand the concept of Layer 2 and Layer 3 devices.

  • A managed switch is a switch that you can connect to a management interface and change its configuration. A managed switch can be a Layer 2 switch or a Layer 3 switch.
  • A managed Layer 2 switch must be able to have an IP address, so that you can connect to it using Telnet or SSH (or HTTP as well) in order to configure it over the network. On a Cisco switch, this is typically done by creating an SVI on one of the VLANs and assigning it an IP address. This means that the switch, even though it is Layer 2, can ping to and from its IP address.
  • A Layer 3 switch is one that can perform inter-VLAN routing. A Layer 2 switch cannot.

I hope this has been helpful!


1 Like


If the switch interface is not learing the mac address but the inerface is up, In this case what all are the possible reasons behind this…

Hello Gowthamraj

If a switch receives a frame on a port it will always populate the MAC address table with the MAC address in the source field of the header. Always. The only exception to this rule is the listening state of the STP process, where a port is up, but it is not yet learning MAC addresses. It is just listening for any new BPDUs that may indicate a topology change. More on these port states can be found here:

I don’t know of any other situation where a switch port is up and is not recording the MAC addresses on the frames it receives in the MAC address table.

I hope this has been helpful!


1 Like

Hi Laz,

I have a doubt that when switch sends arp and when ethernet frame b/c here we are having pc than it must be having ip address so why it did not send arp instead of frame?

actually i am very confused that whenever any host in a network want to communicate with other host what and when it will send Arp, frame, packet ? please clarify this?

Hello Pradyumna

A switch will only send whatever is being sent through it. The ARP requests, frames, and packets are sent by the hosts, and are simply retransmitted by the switch.

All hosts maintain an ARP table that has a list of MAC to IP address mappings. If the destination IP of a packet a host wants to send does not have a corresponding MAC address in that ARP table, then it sends out an ARP request to learn the MAC address. Once it gets that information, it populates the Ethernet header and sends it out to the switch.

So an ARP request is sent by a host that does not know the MAC address of the destination it wants to send a packet to.

A frame and a packet are words that specify the protocol data unit (PDU) of the particular layer of the OSI model. They are the same thing, but are described at a different level. A packet is encapsulated into a frame before being sent out onto the network. Even an ARP request is encapsulated into a frame as well. Take a look at the following lesson about the OSI model that further explains these concepts.

I hope this has been helpful!


Is there a way to prevent a mac address x.y.z from being learnt on a particular interface Gi1/0/3 ? I tried MAC-ACL and it only acts in forwarding plane ie blocks forwarding from a source but doesn’t prevent learning happen of this mac on the interface

Hello Venka

Port security is a feature of switches that can be used to limit the MAC learning as well as the access of devices with specific MAC addresses to particular ports. You can specify which MAC addresses are allowed on a particular port. Any frames with disallowed MAC addresses will be blocked and will not be learned by the switch. You can find out more information about this feature at the following lesson:

I hope this has been helpful!


Hi Rene and staff,
there is a huge amount of information in the forum, so it is hard to be sure an answer to a question is not already in it; so i apologize if this is the case
i am reviewing the switch mecanism: perhaps it is basic but my CCNA is far away
Except for bad frames, I am very surprised that a switch do not drop UNICAST frames when the dest MAC is unknown: on the contrary it floods the frame on all other ports ( i cannot find the word drop in the web page)
I am talking only about UNICAST (flooding broadcast or all kinds of multicast frames is OK)

For unicast frames with ipv4, the sender has to build the frame using ARP, so there is only 3 cases:

  • the sender already knows the dest MAC: it can build and send the frame
  • the sender does not know the dest MAC; it sends an ARP request and gets a reply, so it can build and send the frame
  • the sender does not know the dest MAC; it sends an ARP request and does not get a reply, so it CANNOT build the frame; consequently it cannot send the frame and drops the frame (that is the sender, not the switch)

So first, in what context a SW would receive a UNICAST frame with an UNKNOWN dest MAC ?

  1. suppose that a legitimate sender (with an approved MAC source) has a malicious program in it and is not aware of it: that program builds and sends frames permanently with an unknown unicast dest MAC (= that will never be present on the LAN); so in this case, the SW will flood permanently these frames on the other ports ? Also i am sure you can put rate limits to solve this issue, the best way for the SW would be to drop the frame with unknown UNICAST dest MAC ? Could you clarify ?

Take the example below with a bridge

which segments the LAN in two parts
Suppose A sends an UNICAST frame to C that does not exist on the LAN: does the bridge flood the frame on the other segment or drop the frame ?
i am confused, could you clarify ?

Hello Dominique

It all has to do with timers. The default MAC address table timeout is 300 seconds or 5 minutes. If a host has an ARP table timeout that is larger than that, then you can have a situation where the destination MAC address is not in the MAC address table of the switch, but still exists in the ARP table of the host. So the host will send a frame with that destination MAC without sending an ARP packet. The switch will not have the MAC address in its table, and will flood the frame.

Another case where you will have unicast flooding is in the case of asymmetric routing, something that is further described in this lesson:

Additional causes of flooding can be found in this Cisco document:

Now how do you deal with this flooding? There are several things you can do.

  1. Make sure your network design is correct so that the situations in the above stated documentation and links are avoided.
  2. Use the switchport block unicast command on Cisco IOS switches. More about this can be found at this Cisco documentation.
  3. You can also use the switchport protected command, more about which you can read at this Cisco documentation.

The switch will continue to flood the frame unless one of the above configurations is implemented.

I hope this has been helpful!


Why the trunk port of SW1 learns about the hosts connected to SW2 but not learning the hosts connected to itself?

Hello Ananth

A switch will populate its MAC address table based on the source MAC address of incoming frames on a particular port. For this reason, Gi0/3 (regardless of whether it is configured as an access or trunk port) will have MAC table entries only for the MAC addresses of H3 and H4. This is because you will never see an incoming frame with a source MAC address of H1 or H2 on Gi0/3. Those MAC addresses are recorded as corresponding to Gi0/1 and Gi0/2, respectively, which will see incoming frames with those MAC addresses in the source field.

I hope this has been helpful!


I have one question here.

What if H1 send packet without source mac address(blank) and destination address as H2. In that case what switch will do?

Hello Rahul

A host cannot have a blank value for the source MAC address in the header of the Ethernet frame. The possible values for the 48 bit MAC address range (in hex) from 00:00:00:00:00:00 to FF:FF:FF:FF:FF:FF, so you can’t have a blank value.

The special case of 00:00:00:00:00:00 is used for localhost MAC address or it is used in ARP requests as the target hardware address whenever this is unknown, but in such cases, the field is ignored.

I hope this has been helpful!


Hello Laz,

thanks for responding earlier responses on my queries.

Pls confirm that do mac-learning-limit on port channel in Dell switches restricts dhcp behaviour of IPv6?

Is it so?

Nitin Arora