Switching Basics

I have a pretty good understanding on how switches work but it wouldn't hurt to brush up. Switches are layer 2 devices (Data link) that create collisions domains per port and can reduce broadcast domains not my default (single broadcast domain) using VLANs . Switches deal with incoming frame a few different ways.

• Forward 
• Flood 
• Filter

[1 ] When a switch receive a frame , it first checks to see if it has that source MAC address in its MAC address table, not destination MAC address (where the frames needs to go).  In this case the switch didn't have the MAC address 0007.ec24.d2a4 when I pinged 192.168.1.2. Verified with the show mac-address table below.

 The switch then records the source MAC address in its table if it didn't already has it in there. Next the switch needs to decide what to do, forward, flood or filter .

Switch#show mac-address-table 

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  [2]The switch then checks the destination MAC address and checks for an entry in the MAC address table.

The switch will flood the frame out all ports beside the one it was received on if it doesn't have the destination MAC in the table. If the destination MAC address is found, the host will respond to the frame and the switch will again check the source MAC address and realize it doesn't have it and update its table. Now it looks at the destination MAC and sees that it does have the entry and forwards it out that port.

The switch will forward the frame out a single port if it has an entry in its table. If I tried to ping 0090.2bdb.4c3b from 0007.ec24.d2a4, the frame would be forwarded automatically without need to flood the network.

Switch#show mac-address-table 

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   1    0007.ec24.d2a4    DYNAMIC     Fa0/1

   1    0090.2bdb.4c3b    DYNAMIC     Fa0/2

The switch will filter the frame if it see both the destination and source MAC address on the same port. Frame is discarded by the switch.

Switches have three different ways it can forward a frame, store-and-forward, cut-through and fragment-free. The default on cisco switches is store-and-forward.


Store-and-forward stores the entire frame before forwarding so that it can read the MAC addresses and FCS (frame check sequence) providing greater error detection.

Cut-through just reads the MAC addresses and begins to forward the frame. The frame is sent more quickly but without error-detection.

Fragment-free checks the first 64 bytes of data for errors and then forwards the frame.


There is a security feature called port security and it's possible because a switch always checks the source MAC address before it does anything with a frame. Port security is the ability to dynamically or statically configure a trusted MAC address to a port and restrict access to untrusted MAC address.

The command switchport port-security will enable security on an interface. Next an maximum numbers of allowed MACS can be set with the option of statically typing in the MAC or using the sticky command , which will record the MAC address it sees first on the port. When an violtation is detected you can it shutdown (require manual no shutdown to bring it back up) protect (drop frames from insecure MACS), restrict (drops insecure frames and sends a message log about violation)


Switch(config-if)#switchport port-security 

Switch(config-if)#switchport port-security maximum 2

Switch(config-if)#switchport port-security mac-address 0007.EC24.D2A4

Switch(config-if)#switchport port-security mac-address sticky

Switch(config-if)#switchport port-security violation ?
  protect   Security violation protect mode
  restrict  Security violation restrict mode
  shutdown  Security violation shutdown mode