MAC Address Table Management
Every Cisco switch maintains a MAC address table — also called the CAM table (Content Addressable Memory) — that maps source MAC addresses to the switch port and VLAN they were learned on. Without this table, a switch would flood every frame out all ports like a hub. With it, a switch can make an intelligent forwarding decision: send a frame only to the port where the destination MAC was last seen.
MAC entries are either dynamic — learned automatically when a frame arrives — or static — manually configured by an administrator to permanently bind a MAC address to a specific port and VLAN. Understanding how to read, configure, and tune the MAC table is a foundational Layer 2 skill for both the CCNA exam and real-world network operations.
Before starting, ensure your switches have VLANs assigned to ports as covered in Assigning VLANs to Switch Ports. For security applications of MAC address tracking, see Port Security & Sticky MAC and Port Security Violation Modes. To view the MAC table from IOS, see show mac address-table and MAC Address Table — How It Works.
1. MAC Address Table — Core Concepts
How the CAM Table Works
When a frame arrives on a switch port, the switch performs two actions simultaneously — one for the source MAC and one for the destination MAC:
Dynamic vs Static MAC Entries
| Property | Dynamic | Static |
|---|---|---|
| How it's added | Automatically learned from arriving frames | Manually configured by administrator |
| Persistence | Lost on reboot or when aging timer expires | Survives reboots (saved in running-config) |
| Aging timer | Default 300 seconds (5 minutes) — resets on each frame | No aging — permanent until manually removed |
| Typical use | All end devices — PCs, phones, servers | Critical servers, printers, security cameras — devices that must always forward to the same port |
| Security benefit | None — any device can cause dynamic learning on any port | Traffic from that MAC only forwards to the specified port — frames from the same MAC on other ports are dropped |
MAC Table Entry States
| State | Description | Shown in show mac address-table |
|---|---|---|
| DYNAMIC | Learned from a source MAC in a received frame. Expires after the aging timer. | DYNAMIC |
| STATIC | Manually configured. Never ages out. Survives reboot. | STATIC |
| SECURE | Added by Port Security (sticky or manually defined). Treated as static under port security rules. | STATIC (with port security active) |
| CPU | Reserved for switch management traffic — maps to the CPU/supervisor. Not a user port. | CPU |
2. Lab Topology & Scenario
This lab uses a single Cisco Catalyst switch (NetsTuts_SW1)
with four devices connected across two VLANs. The objectives are:
observe dynamic MAC learning, configure static MAC bindings for the
server and printer, tune aging timers, and use
show mac address-table to map every device to its port.
| Device | MAC Address | Port | VLAN | Entry Type |
|---|---|---|---|---|
| PC1 | aabb.cc00.0001 |
Fa0/1 | 10 | Dynamic |
| PC2 | aabb.cc00.0002 |
Fa0/2 | 10 | Dynamic |
| FileServer | aabb.cc00.0010 |
Fa0/3 | 10 | Static |
| PC3 | aabb.cc00.0003 |
Fa0/4 | 20 | Dynamic |
| Printer | aabb.cc00.0020 |
Fa0/5 | 20 | Static |
3. Step 1 — Observe Dynamic MAC Learning
After devices send traffic, the switch automatically populates its MAC table.
Use show mac address-table to inspect learned entries before
making any manual changes:
NetsTuts_SW1>en
NetsTuts_SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0001 DYNAMIC Fa0/1
10 aabb.cc00.0002 DYNAMIC Fa0/2
10 aabb.cc00.0010 DYNAMIC Fa0/3
20 aabb.cc00.0003 DYNAMIC Fa0/4
20 aabb.cc00.0020 DYNAMIC Fa0/5
Total Mac Addresses for this criterion: 5
All five devices have been dynamically learned. The switch populated these
entries the moment the first frame arrived from each device. Notice all
entries show
DYNAMIC — they will age out after 300 seconds
of inactivity. The FileServer and Printer are critical devices that must
not be allowed to age out — they will be converted to static entries in
Step 3.
Filter by VLAN
NetsTuts_SW1#show mac address-table vlan 10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0001 DYNAMIC Fa0/1
10 aabb.cc00.0002 DYNAMIC Fa0/2
10 aabb.cc00.0010 DYNAMIC Fa0/3
Total Mac Addresses for this criterion: 3
Filter by Interface
NetsTuts_SW1#show mac address-table interface FastEthernet0/3
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0010 DYNAMIC Fa0/3
Total Mac Addresses for this criterion: 1
Filter by MAC Address
NetsTuts_SW1#show mac address-table address aabb.cc00.0010
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0010 DYNAMIC Fa0/3
Total Mac Addresses for this criterion: 1
These three filter options let you quickly locate a specific device
without reading through the entire table. In a large campus switch with
hundreds of entries, filtering by interface or MAC is the fastest way
to confirm which port a device is physically connected to — useful
when tracing rogue devices or verifying patch panel documentation.
Check the Table Size and Current Count
NetsTuts_SW1#show mac address-table count Mac Entries for Vlan 10: --------------------------- Dynamic Address Count : 3 Static Address Count : 0 Total Mac Addresses : 3 Mac Entries for Vlan 20: --------------------------- Dynamic Address Count : 2 Static Address Count : 0 Total Mac Addresses : 2 Total Mac Addresses In Use : 5 Total Mac Addresses Available : 8192
show mac address-table count shows per-VLAN breakdowns and
the total table capacity. This Cisco Catalyst switch supports up to 8192
MAC entries. In high-density environments (data centres, large wireless
deployments), MAC table exhaustion is a real concern — once the table is
full, the switch must flood frames for unknown destinations because it
cannot learn new entries.
4. Step 2 — Clearing Dynamic MAC Entries
Clearing MAC entries forces the switch to re-learn all addresses on next frame arrival. This is useful for troubleshooting (after a NIC replacement, VM migration, or port move) and for testing how quickly the table re-populates:
Clear All Dynamic Entries
NetsTuts_SW1#clear mac address-table dynamic
NetsTuts_SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
Total Mac Addresses for this criterion: 0
The table is now empty. The switch will flood the next frame for every
destination until entries are re-learned. Within seconds of traffic
resuming, all five dynamic entries will reappear. Static entries (added
in Step 3) would survive this clear —
clear mac address-table dynamic
only removes dynamic entries.
Clear by VLAN
NetsTuts_SW1#clear mac address-table dynamic vlan 20
Clear by Interface
NetsTuts_SW1#clear mac address-table dynamic interface FastEthernet0/4
Clear by Specific MAC Address
NetsTuts_SW1#clear mac address-table dynamic address aabb.cc00.0003
Clearing by interface is the most targeted approach — use it when a device
is moved to a new port and the switch still has the old port→MAC mapping.
Until cleared (or aged out), the switch will continue forwarding frames
destined for that MAC to the old port, causing the device to appear
unreachable on the new port.
5. Step 3 — Configuring Static MAC Address Entries
Static MAC entries bind a specific MAC address permanently to a port and VLAN. They never age out, survive reboots, and provide a basic security control — if the FileServer's MAC (aabb.cc00.0010) is statically bound to Fa0/3 VLAN 10, the switch will not forward frames sourced from that MAC arriving on any other port:
NetsTuts_SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. ! ── Static binding: FileServer on Fa0/3 VLAN 10 ───────── NetsTuts_SW1(config)#mac address-table static aabb.cc00.0010 vlan 10 interface FastEthernet0/3 ! ── Static binding: Printer on Fa0/5 VLAN 20 ──────────── NetsTuts_SW1(config)#mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5 NetsTuts_SW1(config)#end NetsTuts_SW1#wr Building configuration... [OK]
These two static entries are now saved in running-config and will persist
across reboots. The syntax is:
mac address-table static [MAC] vlan [VLAN-ID] interface [interface].
The MAC address must be in dotted-triplet format (xxxx.xxxx.xxxx).
Verify Static Entries Appear
NetsTuts_SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0001 DYNAMIC Fa0/1
10 aabb.cc00.0002 DYNAMIC Fa0/2
10 aabb.cc00.0010 STATIC Fa0/3
20 aabb.cc00.0003 DYNAMIC Fa0/4
20 aabb.cc00.0020 STATIC Fa0/5
Total Mac Addresses for this criterion: 5
The FileServer (Fa0/3) and Printer (Fa0/5) entries now show
STATIC while PC1, PC2, and PC3 remain DYNAMIC.
Now clear all dynamic entries and observe that static entries survive:
Confirm Static Entries Survive a Clear
NetsTuts_SW1#clear mac address-table dynamic
NetsTuts_SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0010 STATIC Fa0/3
20 aabb.cc00.0020 STATIC Fa0/5
Total Mac Addresses for this criterion: 2
Only the two static entries remain after the clear. Dynamic entries for
PC1, PC2, and PC3 are gone and will be re-learned when those devices
next send traffic. The FileServer and Printer are immediately reachable
even before they send a frame — the switch already knows which port to
forward their traffic to.
Remove a Static Entry
NetsTuts_SW1(config)#no mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5
6. Step 4 — Configuring the MAC Address Aging Timer
The aging timer controls how long a dynamic entry is kept in the MAC table without being refreshed by a new frame from that source. The default is 300 seconds (5 minutes). Every time a frame arrives from a MAC that is already in the table, the aging timer resets. When the timer reaches zero with no refresh, the entry is deleted and the switch must re-learn it:
View the Current Aging Timer
NetsTuts_SW1#show mac address-table aging-time Global Aging Time: 300 Vlan Aging Time ---- ---------- 10 300 20 300
Change the Global Aging Timer
NetsTuts_SW1(config)#mac address-table aging-time 120 NetsTuts_SW1(config)#end NetsTuts_SW1#show mac address-table aging-time Global Aging Time: 120 Vlan Aging Time ---- ---------- 10 120 20 120
The aging timer has been reduced from 300 to 120 seconds. This means
inactive MAC entries will be flushed after 2 minutes instead of 5.
A shorter timer keeps the MAC table cleaner in high-turnover environments
(hot-desking offices, conference rooms) but causes more frequent flooding
for silently-idle devices like printers and servers — which is why
static entries or per-VLAN tuning is recommended for critical devices.
The valid range is 0–1000000 seconds.
Set Aging Timer Per VLAN
! ── Set a shorter timer for the Guest VLAN (high-turnover devices) NetsTuts_SW1(config)#mac address-table aging-time 60 vlan 20 ! ── Restore default for the Staff VLAN ─────────────────── NetsTuts_SW1(config)#mac address-table aging-time 300 vlan 10 NetsTuts_SW1#show mac address-table aging-time Global Aging Time: 120 Vlan Aging Time ---- ---------- 10 300 20 60
Per-VLAN aging timers override the global setting for that VLAN only.
Here VLAN 10 (Staff) retains the standard 300-second timer while
VLAN 20 (Guest) uses 60 seconds — guest devices connect briefly and
leave, so flushing their entries quickly is appropriate. The global
timer still applies to any VLAN without a specific override.
Disable Aging (aging-time 0)
! ── Setting aging-time 0 disables aging — entries never expire ! ── Use with caution — MAC table can fill up over time NetsTuts_SW1(config)#mac address-table aging-time 0 vlan 10 NetsTuts_SW1#show mac address-table aging-time Global Aging Time: 120 Vlan Aging Time ---- ---------- 10 0 20 60
An aging time of 0 disables aging entirely for that scope —
dynamic entries in VLAN 10 will never be removed automatically. This is
rarely used in production because the MAC table will accumulate stale
entries for departed devices over time, eventually causing table exhaustion.
It is occasionally used in labs or in static, controlled environments where
the switch port population never changes. Always prefer static entries
over disabling aging for critical individual devices.
7. Step 5 — Understanding Unicast Flooding & Unknown Unicast
When the destination MAC of an arriving frame is not in the MAC table, the switch has no choice but to flood the frame out all ports in the same VLAN (except the ingress port). This is called unknown unicast flooding and is normal behaviour — but excessive flooding wastes bandwidth and can be a symptom of a problem:
Common causes of excessive unicast flooding:
1. MAC table overflow
└─ Table is full. New MACs cannot be learned.
All new destinations flood until an old entry ages out.
Symptoms: high CPU, all ports receive all traffic.
Fix: reduce aging time, add more capacity, investigate MAC flooding attacks.
2. Short aging timer
└─ Low-traffic devices (printers, servers) age out between jobs.
The next frame from a client is flooded before the server re-learns.
Fix: increase aging timer or add static entry for the server.
3. Asymmetric routing
└─ Traffic returns on a different path than it left.
The switch learns the source MAC on the return path port —
but the original port's entry may be stale.
Fix: ensure symmetric routing or use static entries.
4. MAC address move / port change
└─ A device is physically moved to a new port.
Old MAC → old port entry still exists. New port not yet learned.
Fix: clear mac address-table dynamic interface [old-port]
Detect Unknown Unicast Flooding with Interface Counters
NetsTuts_SW1#show interfaces FastEthernet0/2 counters Port InOctets InUcastPkts InMcastPkts InBcastPkts Fa0/2 1482930 12043 201 312 Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts Fa0/2 3241890 31220 201 312
If
OutUcastPkts is disproportionately high compared to
InUcastPkts on a port that connects to an end device
(not a trunk), the switch is likely flooding frames onto that port
because too many destination MACs are unknown. Compare this to a
baseline — a healthy access port should only receive unicast frames
specifically destined for the device on that port.
8. Verification
show mac address-table — Full Output
NetsTuts_SW1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0001 DYNAMIC Fa0/1
10 aabb.cc00.0002 DYNAMIC Fa0/2
10 aabb.cc00.0010 STATIC Fa0/3
20 aabb.cc00.0003 DYNAMIC Fa0/4
20 aabb.cc00.0020 STATIC Fa0/5
Total Mac Addresses for this criterion: 5
show mac address-table static — Static Entries Only
NetsTuts_SW1#show mac address-table static
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0010 STATIC Fa0/3
20 aabb.cc00.0020 STATIC Fa0/5
Total Mac Addresses for this criterion: 2
show mac address-table dynamic — Dynamic Entries Only
NetsTuts_SW1#show mac address-table dynamic
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 aabb.cc00.0001 DYNAMIC Fa0/1
10 aabb.cc00.0002 DYNAMIC Fa0/2
20 aabb.cc00.0003 DYNAMIC Fa0/4
Total Mac Addresses for this criterion: 3
show running-config | include mac address-table
NetsTuts_SW1#show running-config | include mac address-table mac address-table aging-time 300 vlan 10 mac address-table aging-time 60 vlan 20 mac address-table static aabb.cc00.0010 vlan 10 interface FastEthernet0/3 mac address-table static aabb.cc00.0020 vlan 20 interface FastEthernet0/5
This one-liner confirms every MAC table configuration on the switch at a
glance — both static entries and per-VLAN aging timers. Use this to
audit the switch before and after configuration changes or to quickly
document what is statically defined.
Verification Command Summary
| Command | What It Shows | Primary Use |
|---|---|---|
show mac address-table |
All entries — VLAN, MAC, type (DYNAMIC/STATIC), port | Primary verification — map any device MAC to its physical port |
show mac address-table vlan [id] |
All MAC entries for a specific VLAN only | Isolate a VLAN's MAC population — useful in multi-VLAN environments |
show mac address-table interface [int] |
MAC entries learned on a specific port | Identify which device is connected to a specific port |
show mac address-table address [mac] |
Which port and VLAN a specific MAC address is learned on | Trace a device by its MAC — find rogue devices or confirm port assignment |
show mac address-table static |
Only manually configured static entries | Audit static bindings — confirm critical devices have permanent entries |
show mac address-table dynamic |
Only dynamically learned entries | See what devices are currently active on the network |
show mac address-table count |
Per-VLAN dynamic/static count and total table capacity | Capacity planning — check table utilisation and spot table exhaustion |
show mac address-table aging-time |
Global and per-VLAN aging timer values | Verify aging configuration — check for non-default timers |
clear mac address-table dynamic |
Removes all dynamic entries (static entries survive) | Force re-learning after port moves, NIC changes, or troubleshooting |
show mac address-table (reference) |
Full command reference with all filter options | Detailed command syntax and output explanation |
9. Troubleshooting MAC Address Table Issues
| Problem | Symptom | Cause | Fix |
|---|---|---|---|
| Device unreachable after port move | Device moved from Fa0/1 to Fa0/6 — unreachable for up to 5 minutes | MAC table still maps the device's MAC to Fa0/1 (old port). Traffic is forwarded to the wrong port until the old entry ages out or new frames arrive from Fa0/6 | Run clear mac address-table dynamic interface FastEthernet0/1 to immediately flush the old entry. The switch will re-learn the MAC on Fa0/6 when the device sends its next frame |
| Static entry not taking effect | show mac address-table static shows the entry, but traffic is still flooding |
A conflicting dynamic entry for the same MAC exists and is being used. On some platforms, dynamic entries take precedence until cleared | Run clear mac address-table dynamic address [mac] to remove the conflicting dynamic entry. The static entry will then take over forwarding |
| MAC table full — all traffic flooding | show mac address-table count shows total equals available. New devices cause flooding on all ports |
MAC table exhaustion — often caused by a MAC flooding attack (attacker sends frames with thousands of spoofed source MACs to fill the table) | Enable Port Security on access ports with a maximum MAC count to prevent one port from flooding the table. Investigate port generating excessive MACs with show mac address-table interface [int] |
| Server intermittently unreachable | Connections to a file server fail briefly every few minutes, then recover | Server is idle between connections — its dynamic MAC entry ages out (default 300s). First frame from a client after aging is flooded until the server's next transmission re-learns its MAC | Add a static MAC entry for the server: mac address-table static [server-mac] vlan [id] interface [port]. This eliminates aging for the server and ensures immediate forwarding without flooding |
| Wrong device on a port after static entry | Static entry points to Fa0/3 but the server is now on Fa0/7 — traffic goes to the empty Fa0/3 | Static entries do not auto-update when a device moves — the old binding persists until manually removed | Remove the old static entry: no mac address-table static [mac] vlan [id] interface FastEthernet0/3. Then add the correct entry for Fa0/7. Verify with show mac address-table static |
| Duplicate MAC on multiple ports | show mac address-table address [mac] returns two different ports for the same MAC |
MAC spoofing — a rogue device is broadcasting frames with a cloned MAC address. Or a loop exists and the switch sees the MAC arriving on two paths | Check for physical loops with show spanning-tree. For MAC spoofing, identify the rogue port with show mac address-table address [mac] and investigate. Enable Port Security to restrict which MACs can appear on each port |
Key Points & Exam Tips
- The MAC address table (CAM table) maps source MAC addresses to the port and VLAN they were learned on. The switch uses it to make unicast forwarding decisions — known destinations get directed forwarding, unknown destinations get flooded out all ports in the same VLAN.
- Dynamic entries are learned automatically from source MACs of arriving frames. They expire after the aging timer (default 300 seconds) with no activity. Static entries are manually configured, never age out, and survive reboots.
- Use
show mac address-tableto map any MAC to its physical port and VLAN — essential for device location tracking, troubleshooting, and network documentation. - Filter the output efficiently:
show mac address-table vlan [id],show mac address-table interface [int], andshow mac address-table address [mac]let you narrow the output to exactly what you need. - Configure static entries with
mac address-table static [MAC] vlan [id] interface [int]. Always use static entries for critical infrastructure devices (servers, printers, security cameras) to eliminate aging-induced flooding. - The default aging timer is 300 seconds. Change it globally with
mac address-table aging-time [seconds]or per-VLAN withmac address-table aging-time [seconds] vlan [id]. Setting it to 0 disables aging entirely. clear mac address-table dynamicremoves all dynamic entries immediately — static entries survive. Use it after device moves or NIC replacements to force instant re-learning without waiting for aging.- MAC table exhaustion causes the switch to flood all unknown unicast frames — identical to hub behaviour. Use Port Security with a per-port MAC limit to prevent a single port from flooding the entire table (MAC flooding attack mitigation). For violation behaviour see Port Security Violation Modes.
- Static entries provide a basic security control — a MAC bound statically to Fa0/3 VLAN 10 will not be forwarded from any other port. For comprehensive enforcement, combine with Port Security covered in Port Security & Sticky MAC.
- On the CCNA exam: know the difference between dynamic and static entries, the default aging time (300s), the syntax for adding/removing static entries, and how to read
show mac address-tableoutput including what flooding means and when it occurs.
Next Steps: Now that you understand the MAC table, apply
Layer 2 security on top with
Port Security & Sticky MAC
— which uses the MAC table to enforce per-port limits and lock ports to
specific devices. To understand how VLANs affect which ports share a MAC
table space, revisit
VLAN Creation and Management.
For the full
show mac address-table command reference,
see show mac address-table.
To see how MAC learning interacts with trunk links between switches, see
Trunk Port Configuration (802.1Q).
TEST WHAT YOU LEARNED
A switch receives a frame with source MAC aabb.cc00.0005 on Fa0/7 in VLAN 10. The MAC table has no existing entry for this address. What does the switch do with the source MAC?
Correct answer is C. MAC learning is based on the source address of arriving frames — not the destination. Every time a frame arrives on a port, the switch examines the source MAC and adds (or refreshes) an entry mapping that MAC to the ingress port and VLAN. This is how the switch builds its forwarding table passively and automatically, without any protocol exchange. The switch does not flood the source MAC — it floods the frame if the destination MAC is unknown. Source learning and destination flooding are two separate, independent operations performed on every frame.
What is the default MAC address aging timer on Cisco Catalyst switches, and what happens when it expires for a dynamic entry?
Correct answer is A. The default aging timer is 300 seconds (5 minutes). Every time a frame arrives from a MAC already in the table, the timer resets to 300 seconds. If 300 seconds pass with no frame from that source, the dynamic entry is deleted. The immediate consequence is that the next frame destined for that MAC will be flooded out all ports in the VLAN — the switch has lost the port mapping and must re-learn it. This is why servers and printers that are occasionally idle can appear intermittently unreachable — the first client request after aging is flooded, causing a brief delay while the server's reply re-teaches the switch which port it is on.
A network engineer runs clear mac address-table dynamic. Which entries are removed?
Correct answer is D. The
clear mac address-table dynamic command specifically targets only dynamically learned entries — it never removes static entries. Static entries exist in the running-config and are re-installed automatically on reboot; they cannot be removed by a dynamic clear. To remove a static entry you must use the no mac address-table static command in configuration mode. This behaviour is intentional — static entries represent deliberate administrative decisions (critical device bindings) that should not be accidentally wiped by a troubleshooting clear command.What is the correct IOS command to permanently bind MAC address aabb.cc00.0010 to port FastEthernet0/3 in VLAN 10?
Correct answer is B. The command
mac address-table static [MAC] vlan [VLAN-ID] interface [interface] is entered in global configuration mode (not interface mode). The full syntax requires all three elements: the MAC address in dotted-triplet format (xxxx.xxxx.xxxx), the VLAN ID, and the interface. Option A is not valid IOS syntax. Option C uses the keyword "permanent" which does not exist in this command. Option D is an ARP static entry command for routers — ARP maps IP to MAC at Layer 3; the MAC address table maps MAC to port at Layer 2. These are separate tables on separate devices.A switch's MAC table is completely full. A new frame arrives with an unknown destination MAC. What does the switch do?
Correct answer is C. A full MAC table causes the switch to behave exactly like a hub — it floods every unknown unicast frame out all ports in the VLAN. This is the mechanism exploited in a MAC flooding attack: an attacker sends frames with thousands of randomly generated source MACs, fills the table with fake entries, and forces the switch to flood all traffic — effectively allowing the attacker's port to receive traffic intended for other devices (a form of passive sniffing). The mitigation is Port Security with a per-port MAC limit, which prevents any single port from contributing more than a defined number of MAC entries to the table.
An engineer sets mac address-table aging-time 0. What is the effect?
Correct answer is A. Setting the aging timer to 0 on Cisco IOS disables the aging mechanism — dynamic entries persist indefinitely until manually cleared or the switch is rebooted. This seems beneficial (no re-flooding after idle periods) but creates a long-term problem: as devices are replaced, moved, or decommissioned, their stale dynamic entries remain. Over time on a busy network, the table fills with entries for devices that no longer exist, eventually causing table exhaustion and flooding for new devices. The preferred solution for eliminating aging on specific devices is to use static entries, which are intentional and documented — not disabling aging globally.
Which command shows which port a device with MAC aabb.cc00.0002 is connected to?
Correct answer is D. The
show mac address-table address [mac] command is the direct way to locate a device by MAC address on a switch. It returns the VLAN and interface where the MAC was seen. This is a common real-world task: a help desk ticket says "device with MAC aabb.cc00.0002 cannot access the network — which port is it on?" — one command gives the answer. Option A is an ARP command for routers (maps IP to MAC, not MAC to port). Option B shows directly connected Cisco devices by device name, not MAC. Option C would search interface descriptions, not the MAC table.A file server is intermittently unreachable. show mac address-table shows its entry as DYNAMIC. What is the most appropriate permanent fix?
Correct answer is B. A static MAC entry is the targeted, correct solution for this problem. It binds the server's MAC permanently to its port without any side effects on other devices. Option A (increasing aging to 24 hours) would reduce the frequency of the problem but not eliminate it — and it means all devices on the switch retain stale entries for 24 hours after departure, potentially wasting table space. Option C (disabling aging) has the same stale-entry problem at a larger scale. Option D (PortFast) addresses STP convergence delays on link-up events, not MAC table aging — it would not help here since the server is already connected and operational between outages.
show mac address-table count shows: Dynamic: 8190, Static: 2, Total Available: 8192. What is the immediate network impact?
Correct answer is C. A full MAC table causes unknown unicast flooding for any MAC the switch cannot learn — exactly the same behaviour as when a MAC is simply not yet known. The switch cannot evict dynamic entries to make room (they are evicted only by aging or manual clear). Static entries are never removed automatically. Until dynamic entries age out and free space, new devices connecting to the switch will cause their traffic to flood all ports in the VLAN. This is also the end state of a successful MAC flooding attack. The operational impact is significant: all ports receive all unicast traffic for the affected VLANs, consuming bandwidth and exposing traffic to unintended recipients.
A device is moved from Fa0/2 to Fa0/9. The MAC table still shows the MAC on Fa0/2. The device is unreachable on Fa0/9. Without waiting for aging, what is the fastest fix?
Correct answer is A. The targeted fix is to clear only the stale entry on the old port using
clear mac address-table dynamic interface FastEthernet0/2. This is precise — it removes only the entries associated with the old port without disrupting the rest of the MAC table. Option B (clear all) works but is unnecessarily disruptive — it causes all devices to flood briefly while re-learning, impacting active sessions. Option C (add a static entry for Fa0/9) does not automatically remove the conflicting dynamic entry on Fa0/2 — both entries would briefly coexist. Option D (shut/no shut Fa0/2) is an indirect workaround that causes a brief outage for any remaining devices on Fa0/2 and does not directly address the stale MAC entry.Related Topics & Step-by-Step Tutorials
Related concepts and next steps:
- CAM Table – MAC Address Table Explained — CAM table — learning, aging, overflow attacks
- MAC Address Table (CAM Table) – Structure, Learning,… — show mac address-table command output
- MAC Address – Format, Types, and Role in Layer 2 Net… — MAC address structure and types
- Frame Forwarding — how switches use the MAC table to forward frames
- VLAN Creation and Management
- Port Security & Sticky MAC Configuration
- SPAN & RSPAN — Port Mirroring