MAC Address Table Management

Every Cisco switch maintains a MAC address table — also called the CAM table (Content Addressable Memory) — that maps source MAC addresses to the switch port and VLAN they were learned on. Without this table, a switch would flood every frame out all ports like a hub. With it, a switch can make an intelligent forwarding decision: send a frame only to the port where the destination MAC was last seen.

MAC entries are either dynamic — learned automatically when a frame arrives — or static — manually configured by an administrator to permanently bind a MAC address to a specific port and VLAN. Understanding how to read, configure, and tune the MAC table is a foundational Layer 2 skill for both the CCNA exam and real-world network operations.

Before starting, ensure your switches have VLANs assigned to ports as covered in Assigning VLANs to Switch Ports. For security applications of MAC address tracking, see Port Security & Sticky MAC and Port Security Violation Modes. To view the MAC table from IOS, see show mac address-table and MAC Address Table — How It Works.

1. MAC Address Table — Core Concepts

How the CAM Table Works

When a frame arrives on a switch port, the switch performs two actions simultaneously — one for the source MAC and one for the destination MAC:

  Frame arrives on Fa0/1 from PC1 (MAC: aabb.cc00.0001) destined for PC2 (MAC: aabb.cc00.0002)

  SOURCE MAC learning:
  ┌─────────────────────────────────────────────────────────────────┐
  │  Is aabb.cc00.0001 already in the MAC table on VLAN 10?         │
  │  NO  → Add entry: aabb.cc00.0001 | VLAN 10 | Fa0/1 | dynamic   │
  │  YES → Refresh aging timer for that entry                       │
  └─────────────────────────────────────────────────────────────────┘

  DESTINATION MAC forwarding:
  ┌─────────────────────────────────────────────────────────────────┐
  │  Is aabb.cc00.0002 in the MAC table for VLAN 10?                │
  │  YES → Forward ONLY out the port mapped to that MAC             │
  │  NO  → FLOOD the frame out ALL ports in VLAN 10 (except source) │
  └─────────────────────────────────────────────────────────────────┘

Dynamic vs Static MAC Entries

Property	Dynamic	Static
How it's added	Automatically learned from arriving frames	Manually configured by administrator
Persistence	Lost on reboot or when aging timer expires	Survives reboots (saved in running-config)
Aging timer	Default 300 seconds (5 minutes) — resets on each frame	No aging — permanent until manually removed
Typical use	All end devices — PCs, phones, servers	Critical servers, printers, security cameras — devices that must always forward to the same port
Security benefit	None — any device can cause dynamic learning on any port	Traffic from that MAC only forwards to the specified port — frames from the same MAC on other ports are dropped

MAC Table Entry States

State	Description	Shown in `show mac address-table`
DYNAMIC	Learned from a source MAC in a received frame. Expires after the aging timer.	`DYNAMIC`
STATIC	Manually configured. Never ages out. Survives reboot.	`STATIC`
SECURE	Added by Port Security (sticky or manually defined). Treated as static under port security rules.	`STATIC` (with port security active)
CPU	Reserved for switch management traffic — maps to the CPU/supervisor. Not a user port.	`CPU`

2. Lab Topology & Scenario

This lab uses a single Cisco Catalyst switch (NetsTuts_SW1) with four devices connected across two VLANs. The objectives are: observe dynamic MAC learning, configure static MAC bindings for the server and printer, tune aging timers, and use show mac address-table to map every device to its port.

                         NetsTuts_SW1
              ┌──────────────────────────────────┐
   Fa0/1 ────┤ PC1         VLAN 10 (Staff)       │
   Fa0/2 ────┤ PC2         192.168.10.0/24        │
   Fa0/3 ────┤ FileServer  192.168.10.100         │  ← Static MAC binding
   Fa0/4 ────┤ PC3         VLAN 20 (Guest)        │
   Fa0/5 ────┤ Printer     192.168.20.50          │  ← Static MAC binding
              └──────────────────────────────────┘

  Device MAC Addresses (for reference):
  PC1        → aabb.cc00.0001   Fa0/1   VLAN 10
  PC2        → aabb.cc00.0002   Fa0/2   VLAN 10
  FileServer → aabb.cc00.0010   Fa0/3   VLAN 10   (STATIC binding)
  PC3        → aabb.cc00.0003   Fa0/4   VLAN 20
  Printer    → aabb.cc00.0020   Fa0/5   VLAN 20   (STATIC binding)

  Lab Objectives:
  1. Observe dynamic MAC learning with show mac address-table
  2. Clear dynamic entries and watch re-learning
  3. Configure static MAC bindings for FileServer and Printer
  4. Tune the global aging timer from 300s to 120s
  5. Disable aging on a specific VLAN (aging-time 0)
  6. Verify all entries with show mac address-table

Device	MAC Address	Port	VLAN	Entry Type
PC1	`aabb.cc00.0001`	Fa0/1	10	Dynamic
PC2	`aabb.cc00.0002`	Fa0/2	10	Dynamic
FileServer	`aabb.cc00.0010`	Fa0/3	10	Static
PC3	`aabb.cc00.0003`	Fa0/4	20	Dynamic
Printer	`aabb.cc00.0020`	Fa0/5	20	Static

3. Step 1 — Observe Dynamic MAC Learning

After devices send traffic, the switch automatically populates its MAC table. Use show mac address-table to inspect learned entries before making any manual changes:

NetsTuts_SW1>en
NetsTuts_SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0001    DYNAMIC     Fa0/1
  10    aabb.cc00.0002    DYNAMIC     Fa0/2
  10    aabb.cc00.0010    DYNAMIC     Fa0/3
  20    aabb.cc00.0003    DYNAMIC     Fa0/4
  20    aabb.cc00.0020    DYNAMIC     Fa0/5
Total Mac Addresses for this criterion: 5

All five devices have been dynamically learned. The switch populated these entries the moment the first frame arrived from each device. Notice all entries show DYNAMIC — they will age out after 300 seconds of inactivity. The FileServer and Printer are critical devices that must not be allowed to age out — they will be converted to static entries in Step 3.

Filter by VLAN

NetsTuts_SW1#show mac address-table vlan 10
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0001    DYNAMIC     Fa0/1
  10    aabb.cc00.0002    DYNAMIC     Fa0/2
  10    aabb.cc00.0010    DYNAMIC     Fa0/3
Total Mac Addresses for this criterion: 3

Filter by Interface

NetsTuts_SW1#show mac address-table interface FastEthernet0/3
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0010    DYNAMIC     Fa0/3
Total Mac Addresses for this criterion: 1

Filter by MAC Address

NetsTuts_SW1#show mac address-table address aabb.cc00.0010
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0010    DYNAMIC     Fa0/3
Total Mac Addresses for this criterion: 1

These three filter options let you quickly locate a specific device without reading through the entire table. In a large campus switch with hundreds of entries, filtering by interface or MAC is the fastest way to confirm which port a device is physically connected to — useful when tracing rogue devices or verifying patch panel documentation.

Check the Table Size and Current Count

NetsTuts_SW1#show mac address-table count

Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count  :      3
Static  Address Count  :      0
Total Mac Addresses    :      3

Mac Entries for Vlan 20:
---------------------------
Dynamic Address Count  :      2
Static  Address Count  :      0
Total Mac Addresses    :      2

Total Mac Addresses In Use    :      5
Total Mac Addresses Available :  8192

show mac address-table count shows per-VLAN breakdowns and the total table capacity. This Cisco Catalyst switch supports up to 8192 MAC entries. In high-density environments (data centres, large wireless deployments), MAC table exhaustion is a real concern — once the table is full, the switch must flood frames for unknown destinations because it cannot learn new entries.

4. Step 2 — Clearing Dynamic MAC Entries

Clearing MAC entries forces the switch to re-learn all addresses on next frame arrival. This is useful for troubleshooting (after a NIC replacement, VM migration, or port move) and for testing how quickly the table re-populates:

Clear All Dynamic Entries

NetsTuts_SW1#clear mac address-table dynamic
NetsTuts_SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
Total Mac Addresses for this criterion: 0

The table is now empty. The switch will flood the next frame for every destination until entries are re-learned. Within seconds of traffic resuming, all five dynamic entries will reappear. Static entries (added in Step 3) would survive this clear — clear mac address-table dynamic only removes dynamic entries.

Clear by VLAN

NetsTuts_SW1#clear mac address-table dynamic vlan 20

Clear by Interface

NetsTuts_SW1#clear mac address-table dynamic interface FastEthernet0/4

Clear by Specific MAC Address

NetsTuts_SW1#clear mac address-table dynamic address aabb.cc00.0003

Clearing by interface is the most targeted approach — use it when a device is moved to a new port and the switch still has the old port→MAC mapping. Until cleared (or aged out), the switch will continue forwarding frames destined for that MAC to the old port, causing the device to appear unreachable on the new port.

5. Step 3 — Configuring Static MAC Address Entries

Static MAC entries bind a specific MAC address permanently to a port and VLAN. They never age out, survive reboots, and provide a basic security control — if the FileServer's MAC (aabb.cc00.0010) is statically bound to Fa0/3 VLAN 10, the switch will not forward frames sourced from that MAC arriving on any other port:

NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Static binding: FileServer on Fa0/3 VLAN 10 ─────────
NetsTuts_SW1(config)#mac address-table static aabb.cc00.0010 vlan 10 interface FastEthernet0/3

! ── Static binding: Printer on Fa0/5 VLAN 20 ────────────
NetsTuts_SW1(config)#mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]

These two static entries are now saved in running-config and will persist across reboots. The syntax is: mac address-table static [MAC] vlan [VLAN-ID] interface [interface]. The MAC address must be in dotted-triplet format (xxxx.xxxx.xxxx).

Verify Static Entries Appear

NetsTuts_SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0001    DYNAMIC     Fa0/1
  10    aabb.cc00.0002    DYNAMIC     Fa0/2
  10    aabb.cc00.0010    STATIC      Fa0/3
  20    aabb.cc00.0003    DYNAMIC     Fa0/4
  20    aabb.cc00.0020    STATIC      Fa0/5
Total Mac Addresses for this criterion: 5

The FileServer (Fa0/3) and Printer (Fa0/5) entries now show STATIC while PC1, PC2, and PC3 remain DYNAMIC. Now clear all dynamic entries and observe that static entries survive:

Confirm Static Entries Survive a Clear

NetsTuts_SW1#clear mac address-table dynamic
NetsTuts_SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0010    STATIC      Fa0/3
  20    aabb.cc00.0020    STATIC      Fa0/5
Total Mac Addresses for this criterion: 2

Only the two static entries remain after the clear. Dynamic entries for PC1, PC2, and PC3 are gone and will be re-learned when those devices next send traffic. The FileServer and Printer are immediately reachable even before they send a frame — the switch already knows which port to forward their traffic to.

Remove a Static Entry

NetsTuts_SW1(config)#no mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5

6. Step 4 — Configuring the MAC Address Aging Timer

The aging timer controls how long a dynamic entry is kept in the MAC table without being refreshed by a new frame from that source. The default is 300 seconds (5 minutes). Every time a frame arrives from a MAC that is already in the table, the aging timer resets. When the timer reaches zero with no refresh, the entry is deleted and the switch must re-learn it:

View the Current Aging Timer

NetsTuts_SW1#show mac address-table aging-time

Global Aging Time:  300

Vlan    Aging Time
----    ----------
  10       300
  20       300

Change the Global Aging Timer

NetsTuts_SW1(config)#mac address-table aging-time 120
NetsTuts_SW1(config)#end

NetsTuts_SW1#show mac address-table aging-time

Global Aging Time:  120

Vlan    Aging Time
----    ----------
  10       120
  20       120

The aging timer has been reduced from 300 to 120 seconds. This means inactive MAC entries will be flushed after 2 minutes instead of 5. A shorter timer keeps the MAC table cleaner in high-turnover environments (hot-desking offices, conference rooms) but causes more frequent flooding for silently-idle devices like printers and servers — which is why static entries or per-VLAN tuning is recommended for critical devices. The valid range is 0–1000000 seconds.

Set Aging Timer Per VLAN

! ── Set a shorter timer for the Guest VLAN (high-turnover devices)
NetsTuts_SW1(config)#mac address-table aging-time 60 vlan 20

! ── Restore default for the Staff VLAN ───────────────────
NetsTuts_SW1(config)#mac address-table aging-time 300 vlan 10

NetsTuts_SW1#show mac address-table aging-time

Global Aging Time:  120

Vlan    Aging Time
----    ----------
  10       300
  20        60

Per-VLAN aging timers override the global setting for that VLAN only. Here VLAN 10 (Staff) retains the standard 300-second timer while VLAN 20 (Guest) uses 60 seconds — guest devices connect briefly and leave, so flushing their entries quickly is appropriate. The global timer still applies to any VLAN without a specific override.

Disable Aging (aging-time 0)

! ── Setting aging-time 0 disables aging — entries never expire
! ── Use with caution — MAC table can fill up over time
NetsTuts_SW1(config)#mac address-table aging-time 0 vlan 10

NetsTuts_SW1#show mac address-table aging-time

Global Aging Time:  120

Vlan    Aging Time
----    ----------
  10         0
  20        60

An aging time of 0 disables aging entirely for that scope — dynamic entries in VLAN 10 will never be removed automatically. This is rarely used in production because the MAC table will accumulate stale entries for departed devices over time, eventually causing table exhaustion. It is occasionally used in labs or in static, controlled environments where the switch port population never changes. Always prefer static entries over disabling aging for critical individual devices.

7. Step 5 — Understanding Unicast Flooding & Unknown Unicast

When the destination MAC of an arriving frame is not in the MAC table, the switch has no choice but to flood the frame out all ports in the same VLAN (except the ingress port). This is called unknown unicast flooding and is normal behaviour — but excessive flooding wastes bandwidth and can be a symptom of a problem:

  Common causes of excessive unicast flooding:

  1. MAC table overflow
     └─ Table is full. New MACs cannot be learned.
        All new destinations flood until an old entry ages out.
        Symptoms: high CPU, all ports receive all traffic.
        Fix: reduce aging time, add more capacity, investigate MAC flooding attacks.

  2. Short aging timer
     └─ Low-traffic devices (printers, servers) age out between jobs.
        The next frame from a client is flooded before the server re-learns.
        Fix: increase aging timer or add static entry for the server.

  3. Asymmetric routing
     └─ Traffic returns on a different path than it left.
        The switch learns the source MAC on the return path port —
        but the original port's entry may be stale.
        Fix: ensure symmetric routing or use static entries.

  4. MAC address move / port change
     └─ A device is physically moved to a new port.
        Old MAC → old port entry still exists. New port not yet learned.
        Fix: clear mac address-table dynamic interface [old-port]

Detect Unknown Unicast Flooding with Interface Counters

NetsTuts_SW1#show interfaces FastEthernet0/2 counters
Port          InOctets    InUcastPkts    InMcastPkts    InBcastPkts
Fa0/2          1482930          12043            201            312
Port         OutOctets   OutUcastPkts   OutMcastPkts   OutBcastPkts
Fa0/2          3241890          31220            201            312

If OutUcastPkts is disproportionately high compared to InUcastPkts on a port that connects to an end device (not a trunk), the switch is likely flooding frames onto that port because too many destination MACs are unknown. Compare this to a baseline — a healthy access port should only receive unicast frames specifically destined for the device on that port.

8. Verification

show mac address-table — Full Output

NetsTuts_SW1#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0001    DYNAMIC     Fa0/1
  10    aabb.cc00.0002    DYNAMIC     Fa0/2
  10    aabb.cc00.0010    STATIC      Fa0/3
  20    aabb.cc00.0003    DYNAMIC     Fa0/4
  20    aabb.cc00.0020    STATIC      Fa0/5
Total Mac Addresses for this criterion: 5

show mac address-table static — Static Entries Only

NetsTuts_SW1#show mac address-table static
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0010    STATIC      Fa0/3
  20    aabb.cc00.0020    STATIC      Fa0/5
Total Mac Addresses for this criterion: 2

show mac address-table dynamic — Dynamic Entries Only

NetsTuts_SW1#show mac address-table dynamic
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aabb.cc00.0001    DYNAMIC     Fa0/1
  10    aabb.cc00.0002    DYNAMIC     Fa0/2
  20    aabb.cc00.0003    DYNAMIC     Fa0/4
Total Mac Addresses for this criterion: 3

show running-config | include mac address-table

NetsTuts_SW1#show running-config | include mac address-table
mac address-table aging-time 300 vlan 10
mac address-table aging-time 60 vlan 20
mac address-table static aabb.cc00.0010 vlan 10 interface FastEthernet0/3
mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5

This one-liner confirms every MAC table configuration on the switch at a glance — both static entries and per-VLAN aging timers. Use this to audit the switch before and after configuration changes or to quickly document what is statically defined.

Verification Command Summary

Command	What It Shows	Primary Use
`show mac address-table`	All entries — VLAN, MAC, type (DYNAMIC/STATIC), port	Primary verification — map any device MAC to its physical port
`show mac address-table vlan [id]`	All MAC entries for a specific VLAN only	Isolate a VLAN's MAC population — useful in multi-VLAN environments
`show mac address-table interface [int]`	MAC entries learned on a specific port	Identify which device is connected to a specific port
`show mac address-table address [mac]`	Which port and VLAN a specific MAC address is learned on	Trace a device by its MAC — find rogue devices or confirm port assignment
`show mac address-table static`	Only manually configured static entries	Audit static bindings — confirm critical devices have permanent entries
`show mac address-table dynamic`	Only dynamically learned entries	See what devices are currently active on the network
`show mac address-table count`	Per-VLAN dynamic/static count and total table capacity	Capacity planning — check table utilisation and spot table exhaustion
`show mac address-table aging-time`	Global and per-VLAN aging timer values	Verify aging configuration — check for non-default timers
`clear mac address-table dynamic`	Removes all dynamic entries (static entries survive)	Force re-learning after port moves, NIC changes, or troubleshooting
`show mac address-table` (reference)	Full command reference with all filter options	Detailed command syntax and output explanation

9. Troubleshooting MAC Address Table Issues

Problem	Symptom	Cause	Fix
Device unreachable after port move	Device moved from Fa0/1 to Fa0/6 — unreachable for up to 5 minutes	MAC table still maps the device's MAC to Fa0/1 (old port). Traffic is forwarded to the wrong port until the old entry ages out or new frames arrive from Fa0/6	Run `clear mac address-table dynamic interface FastEthernet0/1` to immediately flush the old entry. The switch will re-learn the MAC on Fa0/6 when the device sends its next frame
Static entry not taking effect	`show mac address-table static` shows the entry, but traffic is still flooding	A conflicting dynamic entry for the same MAC exists and is being used. On some platforms, dynamic entries take precedence until cleared	Run `clear mac address-table dynamic address [mac]` to remove the conflicting dynamic entry. The static entry will then take over forwarding
MAC table full — all traffic flooding	`show mac address-table count` shows total equals available. New devices cause flooding on all ports	MAC table exhaustion — often caused by a MAC flooding attack (attacker sends frames with thousands of spoofed source MACs to fill the table)	Enable Port Security on access ports with a maximum MAC count to prevent one port from flooding the table. Investigate port generating excessive MACs with `show mac address-table interface [int]`
Server intermittently unreachable	Connections to a file server fail briefly every few minutes, then recover	Server is idle between connections — its dynamic MAC entry ages out (default 300s). First frame from a client after aging is flooded until the server's next transmission re-learns its MAC	Add a static MAC entry for the server: `mac address-table static [server-mac] vlan [id] interface [port]`. This eliminates aging for the server and ensures immediate forwarding without flooding
Wrong device on a port after static entry	Static entry points to Fa0/3 but the server is now on Fa0/7 — traffic goes to the empty Fa0/3	Static entries do not auto-update when a device moves — the old binding persists until manually removed	Remove the old static entry: `no mac address-table static [mac] vlan [id] interface FastEthernet0/3`. Then add the correct entry for Fa0/7. Verify with `show mac address-table static`
Duplicate MAC on multiple ports	`show mac address-table address [mac]` returns two different ports for the same MAC	MAC spoofing — a rogue device is broadcasting frames with a cloned MAC address. Or a loop exists and the switch sees the MAC arriving on two paths	Check for physical loops with `show spanning-tree`. For MAC spoofing, identify the rogue port with `show mac address-table address [mac]` and investigate. Enable Port Security to restrict which MACs can appear on each port

Key Points & Exam Tips

The MAC address table (CAM table) maps source MAC addresses to the port and VLAN they were learned on. The switch uses it to make unicast forwarding decisions — known destinations get directed forwarding, unknown destinations get flooded out all ports in the same VLAN.
Dynamic entries are learned automatically from source MACs of arriving frames. They expire after the aging timer (default 300 seconds) with no activity. Static entries are manually configured, never age out, and survive reboots.
Use show mac address-table to map any MAC to its physical port and VLAN — essential for device location tracking, troubleshooting, and network documentation.
Filter the output efficiently: show mac address-table vlan [id], show mac address-table interface [int], and show mac address-table address [mac] let you narrow the output to exactly what you need.
Configure static entries with mac address-table static [MAC] vlan [id] interface [int]. Always use static entries for critical infrastructure devices (servers, printers, security cameras) to eliminate aging-induced flooding.
The default aging timer is 300 seconds. Change it globally with mac address-table aging-time [seconds] or per-VLAN with mac address-table aging-time [seconds] vlan [id]. Setting it to 0 disables aging entirely.
clear mac address-table dynamic removes all dynamic entries immediately — static entries survive. Use it after device moves or NIC replacements to force instant re-learning without waiting for aging.
MAC table exhaustion causes the switch to flood all unknown unicast frames — identical to hub behaviour. Use Port Security with a per-port MAC limit to prevent a single port from flooding the entire table (MAC flooding attack mitigation). For violation behaviour see Port Security Violation Modes.
Static entries provide a basic security control — a MAC bound statically to Fa0/3 VLAN 10 will not be forwarded from any other port. For comprehensive enforcement, combine with Port Security covered in Port Security & Sticky MAC.
On the CCNA exam: know the difference between dynamic and static entries, the default aging time (300s), the syntax for adding/removing static entries, and how to read show mac address-table output including what flooding means and when it occurs.

Next Steps: Now that you understand the MAC table, apply Layer 2 security on top with Port Security & Sticky MAC — which uses the MAC table to enforce per-port limits and lock ports to specific devices. To understand how VLANs affect which ports share a MAC table space, revisit VLAN Creation and Management. For the full show mac address-table command reference, see show mac address-table. To see how MAC learning interacts with trunk links between switches, see Trunk Port Configuration (802.1Q).

TEST WHAT YOU LEARNED

1. A switch receives a frame with source MAC aabb.cc00.0005 on Fa0/7 in VLAN 10. The MAC table has no existing entry for this address. What does the switch do with the source MAC?

A. Floods the source MAC out all ports in VLAN 10 to announce it B. Discards the frame until the source MAC is manually added to the table C. Adds a new dynamic entry: aabb.cc00.0005 → Fa0/7, VLAN 10, and starts the aging timer. The source MAC is always learned from arriving frames regardless of the destination D. Sends an ARP request to verify the MAC belongs to a legitimate device before adding the entry

Correct answer is C. MAC learning is based on the source address of arriving frames — not the destination. Every time a frame arrives on a port, the switch examines the source MAC and adds (or refreshes) an entry mapping that MAC to the ingress port and VLAN. This is how the switch builds its forwarding table passively and automatically, without any protocol exchange. The switch does not flood the source MAC — it floods the frame if the destination MAC is unknown. Source learning and destination flooding are two separate, independent operations performed on every frame.

2. What is the default MAC address aging timer on Cisco Catalyst switches, and what happens when it expires for a dynamic entry?

A. 300 seconds. When the timer expires without a refreshing frame from that MAC, the entry is removed from the table. The next frame destined for that MAC will be flooded until it is re-learned B. 60 seconds. The entry is flagged as expired but remains in the table until overwritten by a new dynamic entry C. 300 seconds. The entry is converted from DYNAMIC to STATIC to preserve it after aging D. 120 seconds. The switch sends a probe frame to verify the device is still active before removing the entry

Correct answer is A. The default aging timer is 300 seconds (5 minutes). Every time a frame arrives from a MAC already in the table, the timer resets to 300 seconds. If 300 seconds pass with no frame from that source, the dynamic entry is deleted. The immediate consequence is that the next frame destined for that MAC will be flooded out all ports in the VLAN — the switch has lost the port mapping and must re-learn it. This is why servers and printers that are occasionally idle can appear intermittently unreachable — the first client request after aging is flooded, causing a brief delay while the server's reply re-teaches the switch which port it is on.

3. A network engineer runs `clear mac address-table dynamic`. Which entries are removed?

A. All entries — both dynamic and static — are immediately removed B. Only entries older than the current aging timer value are removed C. Static entries are removed; dynamic entries are preserved because they are actively being used D. Only dynamic entries are removed. Static entries (configured with mac address-table static) survive the clear and remain permanently bound to their configured ports

Correct answer is D. The clear mac address-table dynamic command specifically targets only dynamically learned entries — it never removes static entries. Static entries exist in the running-config and are re-installed automatically on reboot; they cannot be removed by a dynamic clear. To remove a static entry you must use the no mac address-table static command in configuration mode. This behaviour is intentional — static entries represent deliberate administrative decisions (critical device bindings) that should not be accidentally wiped by a troubleshooting clear command.

4. What is the correct IOS command to permanently bind MAC address aabb.cc00.0010 to port FastEthernet0/3 in VLAN 10?

A. switchport mac-address aabb.cc00.0010 vlan 10 (entered on the Fa0/3 interface) B. mac address-table static aabb.cc00.0010 vlan 10 interface FastEthernet0/3 (entered in global config mode) C. mac address-table permanent aabb.cc00.0010 vlan 10 FastEthernet0/3 D. arp aabb.cc00.0010 192.168.10.100 ARPA FastEthernet0/3

Correct answer is B. The command mac address-table static [MAC] vlan [VLAN-ID] interface [interface] is entered in global configuration mode (not interface mode). The full syntax requires all three elements: the MAC address in dotted-triplet format (xxxx.xxxx.xxxx), the VLAN ID, and the interface. Option A is not valid IOS syntax. Option C uses the keyword "permanent" which does not exist in this command. Option D is an ARP static entry command for routers — ARP maps IP to MAC at Layer 3; the MAC address table maps MAC to port at Layer 2. These are separate tables on separate devices.

5. A switch's MAC table is completely full. A new frame arrives with an unknown destination MAC. What does the switch do?

A. Drops the frame and sends an ICMP unreachable message to the source B. Replaces the oldest static entry with the new dynamic entry C. Floods the frame out all ports in the VLAN (unknown unicast flooding) — the same behaviour as when a MAC is simply not yet learned. The switch cannot add a new entry because the table is full, so it cannot ever learn the destination and must flood indefinitely until an old entry ages out D. Forwards the frame to the CPU for software-based forwarding while the hardware table is full

Correct answer is C. A full MAC table causes the switch to behave exactly like a hub — it floods every unknown unicast frame out all ports in the VLAN. This is the mechanism exploited in a MAC flooding attack: an attacker sends frames with thousands of randomly generated source MACs, fills the table with fake entries, and forces the switch to flood all traffic — effectively allowing the attacker's port to receive traffic intended for other devices (a form of passive sniffing). The mitigation is Port Security with a per-port MAC limit, which prevents any single port from contributing more than a defined number of MAC entries to the table.

6. An engineer sets `mac address-table aging-time 0`. What is the effect?

A. Aging is disabled — dynamic entries never expire. The table will grow indefinitely and may eventually exhaust capacity if devices leave the network without their entries being manually cleared B. Entries age out instantly — the switch flushes the entire MAC table every second C. The command is rejected — 0 is not a valid aging time value on Cisco IOS D. Dynamic entries are converted to static entries and the aging mechanism is bypassed

Correct answer is A. Setting the aging timer to 0 on Cisco IOS disables the aging mechanism — dynamic entries persist indefinitely until manually cleared or the switch is rebooted. This seems beneficial (no re-flooding after idle periods) but creates a long-term problem: as devices are replaced, moved, or decommissioned, their stale dynamic entries remain. Over time on a busy network, the table fills with entries for devices that no longer exist, eventually causing table exhaustion and flooding for new devices. The preferred solution for eliminating aging on specific devices is to use static entries, which are intentional and documented — not disabling aging globally.

7. Which command shows which port a device with MAC aabb.cc00.0002 is connected to?

A. show ip arp aabb.cc00.0002 B. show cdp neighbors aabb.cc00.0002 C. show interfaces | include aabb.cc00.0002 D. show mac address-table address aabb.cc00.0002 — this filters the MAC table to show only the entry for that specific MAC, revealing the VLAN and physical port it was learned on

Correct answer is D. The show mac address-table address [mac] command is the direct way to locate a device by MAC address on a switch. It returns the VLAN and interface where the MAC was seen. This is a common real-world task: a help desk ticket says "device with MAC aabb.cc00.0002 cannot access the network — which port is it on?" — one command gives the answer. Option A is an ARP command for routers (maps IP to MAC, not MAC to port). Option B shows directly connected Cisco devices by device name, not MAC. Option C would search interface descriptions, not the MAC table.

8. A file server is intermittently unreachable. `show mac address-table` shows its entry as DYNAMIC. What is the most appropriate permanent fix?

A. Increase the global aging timer to 86400 seconds (24 hours) so the server's entry rarely expires B. Add a static MAC entry for the server: mac address-table static [server-mac] vlan [id] interface [port]. Static entries never age out — the switch always knows which port to forward server-destined traffic without needing a refreshing frame from the server C. Set mac address-table aging-time 0 to disable aging entirely on the switch D. Enable PortFast on the server's port to prevent STP delays on re-connection

Correct answer is B. A static MAC entry is the targeted, correct solution for this problem. It binds the server's MAC permanently to its port without any side effects on other devices. Option A (increasing aging to 24 hours) would reduce the frequency of the problem but not eliminate it — and it means all devices on the switch retain stale entries for 24 hours after departure, potentially wasting table space. Option C (disabling aging) has the same stale-entry problem at a larger scale. Option D (PortFast) addresses STP convergence delays on link-up events, not MAC table aging — it would not help here since the server is already connected and operational between outages.

9. `show mac address-table count` shows: Dynamic: 8190, Static: 2, Total Available: 8192. What is the immediate network impact?

A. No impact — the switch automatically expands its table capacity when full B. The switch begins dropping frames from all ports until entries are manually cleared C. The table is at capacity (8192/8192). Any new device connecting to the switch cannot be learned. Frames destined for new, unlearned MACs are flooded out all ports in their VLAN indefinitely — the switch behaves like a hub for those destinations until old dynamic entries age out and free space D. The static entries are automatically removed to make room for new dynamic entries

Correct answer is C. A full MAC table causes unknown unicast flooding for any MAC the switch cannot learn — exactly the same behaviour as when a MAC is simply not yet known. The switch cannot evict dynamic entries to make room (they are evicted only by aging or manual clear). Static entries are never removed automatically. Until dynamic entries age out and free space, new devices connecting to the switch will cause their traffic to flood all ports in the VLAN. This is also the end state of a successful MAC flooding attack. The operational impact is significant: all ports receive all unicast traffic for the affected VLANs, consuming bandwidth and exposing traffic to unintended recipients.

10. A device is moved from Fa0/2 to Fa0/9. The MAC table still shows the MAC on Fa0/2. The device is unreachable on Fa0/9. Without waiting for aging, what is the fastest fix?

A. clear mac address-table dynamic interface FastEthernet0/2 — this removes only the stale entry for the old port. The switch immediately re-learns the MAC on Fa0/9 when the device sends its next frame, restoring reachability within seconds B. clear mac address-table dynamic — clear the entire table so all MACs are re-learned simultaneously C. Manually add a static entry for Fa0/9 — the dynamic entry on Fa0/2 will be overwritten automatically D. Shut down Fa0/2 to force the switch to remove its MAC entries, then bring it back up

Correct answer is A. The targeted fix is to clear only the stale entry on the old port using clear mac address-table dynamic interface FastEthernet0/2. This is precise — it removes only the entries associated with the old port without disrupting the rest of the MAC table. Option B (clear all) works but is unnecessarily disruptive — it causes all devices to flood briefly while re-learning, impacting active sessions. Option C (add a static entry for Fa0/9) does not automatically remove the conflicting dynamic entry on Fa0/2 — both entries would briefly coexist. Option D (shut/no shut Fa0/2) is an indirect workaround that causes a brief outage for any remaining devices on Fa0/2 and does not directly address the stale MAC entry.

Back to Home