Frame Forwarding – Concepts, Methods, and Best Practices

1. What Is Frame Forwarding?

Frame forwarding is the method by which a Layer 2 switch decides where to send an incoming Ethernet frame. It is a core switch function that enables devices on a network to communicate efficiently. Every time a frame arrives on a switch port, the switch must make a forwarding decision — send it to a specific port, send it everywhere, or drop it.

Proper frame forwarding maximises bandwidth, minimises unnecessary traffic, and is essential for reliable and secure LAN connectivity. Understanding it is fundamental to the CCNA and to real-world network engineering. 

  Host A            Host B            Host C
  Port 1            Port 4            Port 7
    │                 │                 │
  ──┴─────────────────┴─────────────────┴──
               LAYER 2 SWITCH
          (MAC Address Table lookup)
  ──────────────────────────────────────────
   MAC_A → Port 1 │ MAC_B → Port 4 │ ...

Related pages: VLANs | VLAN Tagging (802.1Q) | Spanning Tree Protocol | OSI Model | Port Security | Firewalls | Applying ACLs

2. Forwarding vs Flooding — Key Distinction

A switch can handle an incoming frame in two fundamentally different ways. Knowing when each applies is critical for understanding switch behaviour.

Behaviour When It Occurs What the Switch Does
Forwarding Destination MAC is known (unicast, found in MAC table) Delivers the frame only to the single port mapped to that MAC address
Flooding Broadcast frame, unknown unicast, or default multicast Sends the frame to all ports in the VLAN except the incoming source port

Flooding is used for three specific frame types:

  • Broadcast frames — destination MAC is FF:FF:FF:FF:FF:FF
  • Unknown unicast frames — destination MAC is not yet in the MAC address table
  • Multicast frames — address range 01:00:5E:xx:xx:xx, unless IGMP snooping is active for selective delivery

3. Layer 2 Ethernet Frame Structure

The switch makes its forwarding decision based entirely on the Destination MAC field in the Ethernet frame header. The IP addresses inside the payload are invisible to a pure Layer 2 switch.

Field Size Purpose
Destination MAC 6 bytes Identifies the receiving device — switch uses this for the forwarding decision
Source MAC 6 bytes Identifies the sending device — switch learns this MAC and records the incoming port
EtherType / Length 2 bytes Indicates the Layer 3 protocol (e.g., 0x0800 = IPv4, 0x86DD = IPv6)
Payload (Data) 46–1500 bytes Encapsulated upper-layer data (IP packet, ARP, etc.)
FCS (CRC) 4 bytes Frame Check Sequence — error detection; store-and-forward checks this before forwarding

Example: A frame from 00:11:22:33:44:55 (source) destined for AA:BB:CC:DD:EE:FF (destination). The switch looks up AA:BB:CC:DD:EE:FF in its MAC table and forwards or floods accordingly.

4. Switching Methods

A switch can use one of three methods to decide when to start forwarding a frame after it begins to arrive on a port. The choice involves a trade-off between latency and error detection.

Method How It Works Latency Error Checking Use Case
Store-and-Forward Buffers the entire frame, verifies FCS, then forwards Highest Full CRC check — corrupted frames are dropped Default on most modern Cisco switches; required for QoS
Cut-Through Begins forwarding as soon as the destination MAC (first 6 bytes) is read Lowest None — errored frames may be forwarded Low-latency environments (HPC, financial trading)
Fragment-Free Waits for the first 64 bytes before forwarding Medium Catches collision fragments (runts < 64 bytes) Compromise between speed and minimal error filtering 
  Store-and-Forward:  [──── entire frame ────] → FCS OK? → Forward
  Cut-Through:        [Dest MAC] → Forward immediately (no FCS wait)
  Fragment-Free:      [── 64 bytes ──] → Forward (runts filtered)

5. MAC Address Table — The Core of Frame Forwarding

The MAC address table (also called the CAM table) is the switch's internal database mapping each known MAC address to the port it was learned on, scoped within a VLAN. It is built dynamically as frames arrive.

MAC learning process: When a frame arrives, the switch reads the source MAC address and records it against the incoming port and VLAN. This is how the table is populated — purely passively, from observed traffic.

Forwarding decision: The switch then looks up the destination MAC address in the table:

  • Found: Frame is forwarded only to the mapped port (unicast forwarding).
  • Not found: Frame is flooded to all ports in the VLAN except the source port (unknown unicast flooding).
  Incoming frame → Source MAC learned → Destination MAC lookup
                                              │
                              ┌───────────────┴────────────────┐
                         MAC found                         MAC not found
                              │                                 │
                    Forward to that port              Flood to all VLAN ports
                                                      (except source port)

MAC table entries have an ageing timer (default 300 seconds on Cisco switches). If no frame is seen from a MAC within that window, the entry is removed to keep the table current.

Useful command: show mac address-table — displays all current MAC-to-port mappings, including VLAN, type (dynamic/static), and port.

6. Unicast Frame Forwarding

A unicast frame is destined for a single specific device. This is the most common and efficient type of forwarding — the frame travels only between the source and destination ports. 

  Host A (Port 1)  ──→  Switch  ──→  Host B (Port 4)
  Src: MAC_A             │           Dst: MAC_B
                   MAC table:
                   MAC_B → Port 4   ✓ Forward to Port 4 only

If Host A sends a frame to Host B and the switch already knows that MAC_B is on Port 4, the frame is forwarded exclusively to Port 4. Hosts on Ports 2, 3, 5, 6, and 7 never see it — this is the efficiency advantage of switching over older hub-based networks.

7. Broadcast and Multicast Frame Handling

Not all frames are destined for a single device. Broadcasts and multicasts are handled differently because no single port can be the "correct" destination.

Frame Type Destination MAC Switch Behaviour Example Use
Broadcast FF:FF:FF:FF:FF:FF Flooded to all ports in the VLAN except the source port — always ARP requests, DHCP Discover
Multicast 01:00:5E:xx:xx:xx (IPv4) or 33:33:xx:xx:xx:xx (IPv6) Flooded by default; selectively forwarded only if IGMP snooping is enabled Streaming video, routing protocol hellos (OSPF, EIGRP)

IGMP Snooping allows a switch to listen to IGMP membership messages and build a table of which ports have subscribed to which multicast groups, enabling selective forwarding instead of flooding — a significant bandwidth saving in multicast-heavy environments.

8. Unknown Unicast Handling

An unknown unicast frame has a destination MAC that is not in the switch's MAC address table. This typically occurs when:

  • A device has just joined the network and has never sent a frame (so the switch has never learned its MAC).
  • The MAC table entry has aged out.
  • The MAC table has overflowed (a security concern — see Section 14).
  Frame arrives → Dest MAC lookup → NOT FOUND
                                        │
                          Flood to ALL ports in VLAN
                          (except source port)
                                        │
                          Destination device receives frame
                          and sends a reply
                                        │
                          Switch learns Dest MAC → Port mapping
                          Next unicast forwarded directly ✓

This self-healing behaviour means the MAC table fills itself in naturally through normal traffic. In a stable network, flooding of unknown unicasts diminishes quickly as all active MACs become known.

9. Frame Forwarding and VLANs

VLANs add an important scoping dimension to frame forwarding. A switch does not maintain one global MAC table — it maintains a separate MAC table per VLAN. A frame in VLAN 10 is only ever forwarded to ports that belong to VLAN 10.

Concept Detail
VLAN Tagging (802.1Q) A 4-byte tag is inserted into the Ethernet frame on trunk links, identifying the VLAN. Access ports strip the tag before delivering to end hosts. See: VLAN Tagging (802.1Q)
Per-VLAN MAC Tables MAC_A learned on VLAN 10 Port 1 and MAC_A learned on VLAN 20 Port 1 are treated as entirely separate entries.
Intra-VLAN Forwarding Switches forward frames only within the same VLAN. No inter-VLAN traffic without a Layer 3 device.
Inter-VLAN Forwarding Requires a router (router-on-a-stick) or a Layer 3 switch (SVIs). The switch alone cannot forward frames between VLANs. 
  VLAN 10: Host A (Port 1) ──→ Switch ──→ Host B (Port 4)
           [Same VLAN — direct forwarding ✓]

  VLAN 10: Host A (Port 1) ──→ Switch ──✗ Host C (Port 6, VLAN 20)
           [Different VLANs — Layer 3 device required]

10. Frame Forwarding and Spanning Tree Protocol (STP)

STP (802.1D) and its faster variants (RSTP 802.1w, MSTP 802.1s) exist to prevent Layer 2 loops. Without loop prevention, flooded frames would circulate indefinitely, causing a broadcast storm that collapses the network.

STP achieves this by placing redundant ports into a Blocking state. A switch will never forward data frames on a Blocking port — that port is logically removed from the topology until a link failure makes it necessary.

STP Port State Forwards Data Frames? Learns MACs?
Blocking No No
Listening No No
Learning No Yes
Forwarding Yes Yes
Disabled No No

PortFast allows edge ports (connected to end hosts, not other switches) to skip the Listening and Learning states and go directly to Forwarding — speeding up host connectivity without risking loops. See: Spanning Tree Protocol | PortFast & BPDU Guard Lab

11. Switch Forwarding vs. Router Forwarding

Switches and routers both forward traffic, but they operate at different layers of the OSI model and use completely different lookup tables.

Feature Switch (Layer 2) Router (Layer 3)
OSI Layer Layer 2 — Data Link Layer 3 — Network
Forwarding Unit Frames Packets
Addressing Used MAC address (48-bit) IP address (32-bit IPv4 / 128-bit IPv6)
Lookup Table MAC address table (CAM) Routing table (RIB / FIB)
Forwarding Hardware ASIC — wire-speed hardware CPU or CEF/ASIC (varies by platform)
Scope Within a single LAN / VLAN Between different networks / VLANs

12. Hardware and Software Forwarding

Modern switches use dedicated ASIC (Application-Specific Integrated Circuit) chips to perform MAC table lookups and frame forwarding entirely in hardware, at wire speed. This is why a switch can forward millions of frames per second without involving the CPU.

  • ASIC-based forwarding (data plane): Handles all normal unicast, broadcast, and multicast forwarding at line rate. The CPU is not involved.
  • CPU-based forwarding (control plane): Reserved for special traffic such as STP BPDUs, CDP/LLDP packets, management traffic, and frames requiring software processing. High rates of CPU-destined traffic can cause performance issues — a sign of a potential attack or misconfiguration.

13. Forwarding Table Updates and MAC Ageing

The MAC address table is entirely dynamic by default. Understanding how it updates and ages out is essential for troubleshooting connectivity issues.

  • When a frame arrives, the switch records the source MAC against the incoming port and VLAN.
  • Each entry gets a timestamp. If the source is seen again, the timer resets.
  • If no frame from that MAC is seen within the ageing time (default 300s on Cisco), the entry is deleted.
  • Static MAC entries can be configured manually — they never age out and are used for security-sensitive devices.

MAC flapping occurs when the same MAC address is seen arriving on different ports in quick succession — usually indicating a network loop, a misconfigured trunk, or a host that has moved. The switch will update the table repeatedly, causing instability.

14. Security Considerations in Frame Forwarding

The simplicity of Layer 2 forwarding creates several well-known attack vectors. Understanding them is a CCNA security requirement.

Attack / Threat How It Works Mitigation
MAC Flooding Attacker floods switch with frames containing thousands of fake source MACs, overflowing the CAM table. Switch falls back to flooding all frames — attacker can intercept all traffic. Port Security — limit the number of allowed MACs per port (switchport port-security maximum) — see Port Security
MAC Spoofing Attacker sends frames with a forged source MAC to redirect traffic intended for another host. Port Security with sticky MACs, Dynamic ARP Inspection (DAI)
Broadcast Storm A Layer 2 loop causes flooded frames to circulate endlessly, consuming all bandwidth. STP / RSTP, BPDU Guard on access ports, Storm Control
VLAN Hopping Attacker exploits auto-trunking to inject frames tagged for a different VLAN. Disable DTP (switchport nonegotiate), assign unused ports to a dead VLAN

VACLs (VLAN Access Control Lists) can also be applied to filter traffic within a VLAN — providing a security layer that standard ACLs (applied at routed interfaces) cannot reach.

15. Troubleshooting Frame Forwarding Issues

Most Layer 2 connectivity problems trace back to a small set of root causes. Use the following table and commands as a diagnostic framework.

Symptom Possible Cause Troubleshooting Steps
Frames flooded unnecessarily MAC table overflow, MAC flooding attack, MAC flapping Run show mac address-table count; check for port security violations; look for MAC flapping syslog messages
One-way communication VLAN mismatch, STP blocking one direction, port duplex mismatch Check show vlan brief, show spanning-tree, show interfaces for duplex/speed errors
Broadcast storm / network unusable STP failure, Layer 2 loop, disabled STP on trunk Check show spanning-tree for topology changes; verify no ports are in a permanent Forwarding state on redundant links without STP
Delayed forwarding / high latency Store-and-forward overhead, CRC errors causing retransmits Check show interfaces for input/output errors and CRC counters
Host can't reach gateway despite correct config VLAN not active on trunk, STP port in Blocking/Learning Check show vlan brief, show interfaces trunk, show spanning-tree vlan X

Key diagnostic commands (see also show interfaces and show ip route):

show mac address-table
show mac address-table count
show interfaces status
show interfaces <id> counters errors
show vlan brief
show interfaces trunk
show spanning-tree
show spanning-tree vlan <id>

16. Example Scenario — End-to-End Frame Forwarding

Host A (00:11:22:33:44:55, VLAN 10, Port 1) wants to send data to Host B (66:77:88:99:AA:BB, VLAN 10, Port 5). 

  Step 1: Host A sends frame
          Src: 00:11:22:33:44:55  Dst: 66:77:88:99:AA:BB
          Arrives on Switch Port 1, VLAN 10

  Step 2: MAC Learning
          Switch records: 00:11:22:33:44:55 → Port 1, VLAN 10

  Step 3: Destination MAC Lookup
          Look up 66:77:88:99:AA:BB in VLAN 10 MAC table

          ┌─────────────────────────────────────────┐
          │  IF FOUND: Forward to Port 5 only       │
          │  IF NOT:   Flood to all VLAN 10 ports   │
          │            except Port 1                │
          └─────────────────────────────────────────┘

  Step 4 (if flooded): Host B receives frame, replies to Host A
          Switch learns: 66:77:88:99:AA:BB → Port 5, VLAN 10

  Step 5: All subsequent unicasts Host A ↔ Host B
          forwarded directly Port 1 ↔ Port 5  ✓

17. Summary

Aspect Switch Frame Forwarding Behaviour
Forwarding Decision Basis Destination MAC address lookup in the per-VLAN CAM table
When Flooding Occurs Unknown unicast, broadcast (FF:FF:FF:FF:FF:FF), or multicast (without IGMP snooping)
Switching Methods Store-and-Forward (full error check), Cut-Through (lowest latency), Fragment-Free (collision filtering)
VLAN Impact MAC table is maintained per VLAN; forwarding is always scoped within the source VLAN
STP Influence No data frames forwarded on STP-blocked ports; prevents Layer 2 loops
Hardware Acceleration ASIC performs all data-plane forwarding at wire speed without CPU involvement
MAC Table Management Dynamically learned; ages out after 300s by default; static entries available
Security Controls Port Security (MAC limits), VACLs, DAI, Storm Control, BPDU Guard

Frame Forwarding Quiz

1. What is the primary function of frame forwarding in a Layer 2 switch?

Correct answer is B. Frame forwarding is the switch's process of consulting its MAC address table and delivering the frame only to the port mapped to the destination MAC. It is the fundamental Layer 2 switching operation.

2. When does a switch flood a frame to all ports in the VLAN?

Correct answer is D. Flooding is triggered by three conditions: (1) Broadcast — destination is FF:FF:FF:FF:FF:FF; (2) Multicast — by default unless IGMP snooping restricts it; (3) Unknown unicast — destination MAC is not yet in the MAC table. In all three cases the frame goes to every port in the VLAN except the source port.

3. Which switching method buffers the entire frame and verifies the FCS before forwarding?

Correct answer is A. Store-and-Forward is the only method that receives the complete frame, computes the FCS (CRC), and discards corrupted frames before forwarding. This makes it the most reliable method and the default on modern Cisco switches. It also enables QoS classification of the full frame before forwarding.

4. What is the destination MAC address of a broadcast frame?

Correct answer is C. The Ethernet broadcast address is FF:FF:FF:FF:FF:FF (48 bits all set to 1). Any frame with this destination is unconditionally flooded to all ports in the VLAN — the switch never consults the MAC table for this address. Common uses: ARP requests, DHCP Discover.

5. What action does a switch take if the destination MAC is not found in its MAC table?

Correct answer is B. The switch floods unknown unicast frames. It has no mechanism to drop a unicast frame simply because the destination is unknown — doing so would break connectivity for new devices. By flooding, the switch ensures the frame reaches the destination, and when the destination replies, its MAC is learned for future direct forwarding.

6. How does VLAN tagging affect frame forwarding?

Correct answer is D. IEEE 802.1Q VLAN tagging causes switches to maintain completely independent MAC tables per VLAN. A MAC address learned on VLAN 10 cannot be used to forward a frame arriving on VLAN 20. This VLAN isolation is the foundation of LAN segmentation — traffic from one VLAN cannot reach another without passing through a Layer 3 device.

7. What role does Spanning Tree Protocol (STP) play in frame forwarding?

Correct answer is A. STP (and RSTP/MSTP) prevents Layer 2 loops by placing redundant switch ports into a Blocking state. A switch never forwards data frames on a Blocking port. Without STP, flooded frames (broadcasts, unknown unicasts) would loop endlessly between switches, causing a broadcast storm that consumes all bandwidth and crashes the network within seconds.

8. What distinguishes switch frame forwarding from router packet forwarding?

Correct answer is B. Switches operate at OSI Layer 2 and forward Ethernet frames based on 48-bit MAC addresses using a CAM table. Routers operate at OSI Layer 3 and forward IP packets based on 32-bit (IPv4) or 128-bit (IPv6) IP addresses using a routing table. The key difference: switches work within a network segment; routers connect different network segments.

9. What hardware component enables wire-speed frame forwarding in modern switches?

Correct answer is C. ASICs are custom-designed hardware chips that perform MAC table lookups and frame switching entirely in silicon, at the full line rate of the switch ports. Unlike CPU-based processing, ASICs can handle millions of forwarding decisions per second with microsecond latency, making modern switches dramatically faster than older software-based approaches.

10. What is the most likely cause of excessive and persistent frame flooding on a switch?

Correct answer is A. When the MAC table overflows (caused by a MAC flooding attack that inserts thousands of fake MACs), the switch can no longer store legitimate entries and reverts to flooding all frames — giving an attacker the ability to intercept traffic. MAC flapping (same MAC seen on multiple ports rapidly) also causes instability. Both are detected with show mac address-table count and syslog messages. Mitigation: Port Security with a maximum MAC limit per port.

← Back to Home