Mac Address Flooding: Learning & Aging

MAC address flooding is a serious threat to local area networks (LANs) in network security. This attack occurs when a malicious user sends a large number of fake MAC addresses to a switch, overwhelming its ability to manage legitimate devices.

As the switch's MAC address table fills up, it starts broadcasting all incoming traffic to every connected device, turning the network into a less secure hub. This can lead to sensitive data being intercepted.

In this article, we will explain how MAC address flooding works, its impact on network security, and simple ways to prevent and address this issue to keep your network safe.

Introduction to Switching

Let's start our discussions on switching concepts with the definition of switch and how it functions, followed by MAC address flooding and other important concepts. To understand the switching, a good understanding of them is essential. 

A switch is a network device used in computer networks to connect other devices such as computers, laptops, printers, servers, etc. within a local area network (LAN). 

It operates at the data link layer (Layer 2) of the OSI (Open Systems Interconnection) model (It's a part of CCNA), here you get answers to questions like what is mac address and many more. 

The primary function of a switch is to provide connectivity between multiple devices receive data (in the form of frames) from one device connected to it and then forward that data to the appropriate destination device based on the device's MAC address.

You can have more understanding of this through self-learning or Cisco training and certifications using documents available on the Cisco website. 

Cisco switches are more advanced and efficient than traditional hubs. Unlike hubs, which simply broadcast data to all connected devices, switches use a process called frame switching to intelligently send data only to the device it is intended for.

This feature allows switches to reduce unnecessary network traffic, prevent collisions, and improve overall network performance. Typically, Cisco switches look like as shown in the below picture.

Switches come in various sizes, from small home or office switches with a few ports to large enterprise-level switches with numerous ports to accommodate a vast number of devices.

Understanding Cisco switches hardware architecture through instructor led live CCNA training, with hands-on practice will solidify your initial knowledge to learn advanced topics like routing and many more.

What is MAC Address?

MAC address (Media Access Control address) is a unique identifier assigned to each network interface card (NIC) or network adapter (as shown in the picture below) of devices connected to a network.

Please note, that these switching concepts are a part of the CCNA course, here we have touched on the brief introduction to MAC address and its other core concepts. 

The MAC address is a 48-bit (6-byte) address typically represented in hexadecimal format (e.g., 00:1A:2B:3C:4D:5E). It is hard coded into the network interface hardware during the manufacturing process, which means that no two devices in the world should have the same MAC address.

Now to understand switching, MAC address flooding, learning, and aging concepts, Let's take some configuration examples so that beginners can understand easily.

Learning MAC Address

MAC address learning is like a switch's memory. When a switch sees a device connected to one of its ports, it remembers its unique MAC address and which port it is connected to.

This way, when it later receives data (frames) from that device, it knows exactly where to send the data to reach that device efficiently.

Suppose we have a switch with three devices connected to its ports:

● Device A with MAC address 11:11:11:11:11:11 connected to Port 1

● Device B with MAC address 22:22:22:22:22:22 connected to Port 2

● Device C with MAC address 33:33:33:33:33:33 connected to Port 3

The switch learns these connections automatically as data flows between devices.

Mac Address Aging

MAC address aging is like a cleaning process. If a device is no longer connected or active, the switch forgets about it after a while to keep its memory tidy.

If Device C is disconnected from Port 3, the switch will eventually remove the entry for MAC address 33:33:33:33:33:33 from its memory through aging.

Mac Address Frame Switching

Frame switching is like a postal service sorting and delivering letters to their correct destinations. When the switch receives data (frames), it looks at the address on the package (the destination MAC address).

Then, it checks its memory (the MAC address table) to find the correct "delivery address" (outgoing port) for that package. The switch only sends the data to the correct destination, just like a mail carrier delivering letters to the right houses. As an example 

If Device A wants to send data to Device B, the switch will look up the MAC address table, find the entry for MAC address 22:22:22:22:22:22 (Device B's address), and then send the data to Port 2, where Device B is connected.

MAC Address Flooding

Frame flooding is like shouting in a crowded room when you don't know the specific person you want to talk to. When the switch receives data (frames) with a destination address it doesn't recognize (unknown MAC address), it broadcasts the data to all its ports, except the one it received the data from.

This way, the switch ensures that the data reaches the intended recipient, even if it's not sure where that recipient is located. As an example 

If a new device, Device D, joins the network and sends data with a MAC address the switch hasn't seen before (e.g., 44:44:44:44:44:44), the switch will flood the data to all ports (except the one where the data came from).

This way, it reaches all connected devices, including Device B (with MAC address 22:22:22:22:22:22), which can then respond to the new device.

MAC Address Table Building

Think of the MAC address table as a phonebook that the switch uses to keep track of which device (MAC address) is connected to which port. When a device sends data, the switch checks the phonebook to find the correct port to send the data, just like you'd check a phonebook to find someone's phone number.

Suppose the switch's MAC address table looks like this:

● MAC Address: 11:11:11:11:11:11, Port: 1

● MAC Address: 22:22:22:22:22:22, Port: 2

● MAC Address: 33:33:33:33:33:33, Port: 3

When the switch receives data with the destination MAC address 22:22:22:22:22:22, it looks up the table and finds that the data should be sent out through Port 2, where Device B is connected.

Mac Address Table Configuration Example

The above concepts are managed automatically by switches. There is typically no manual configuration needed for learning MAC address, MAC address aging, and frame switching.

However, if you want to see the MAC address table on a switch, you can use the following command in the switch's configuration interface (CLI):

#show mac address-table

This command will display the MAC addresses, their associated ports, and VLAN on which these ports configuration that the switch has learned.

Keep in mind that modern switches handle MAC address flooding and other processes automatically, so you don't usually need to manually configure them. You can also check our IT infrastructure courses to learn more.

Remember, these concepts are fundamental to understanding how switches operate and manage network traffic efficiently. As a beginner, grasping these concepts will help you build a solid foundation in networking.