Switching Networking Theory

Frame Flooding

Understanding frame flooding behavior when switches encounter unknown destination MAC addresses

Frame Flooding

  • Frame flooding occurs when a switch receives a frame with an unknown destination MAC address and forwards it out all ports except the incoming port
  • This is the switch’s default behavior when the MAC address table doesn’t contain an entry for the destination MAC
  • The switch essentially “floods” the frame across all active ports in the same VLAN, hoping the intended recipient will respond

How Frame Flooding Works

  • Switch receives frame on Port 1 with destination MAC 00:11:22:33:44:55
  • Switch checks MAC address table - no entry found for this MAC
  • Switch forwards frame out all other active ports (Ports 2, 3, 4, etc.) in the same VLAN
  • Only the device with matching MAC address will process the frame (others discard it)
  • When destination device responds, switch learns its MAC address and port location

When Frame Flooding Occurs

  • Initial network startup - MAC address tables are empty
  • New device connections - Unknown MACs trigger flooding until learned
  • MAC address aging - Entries expire (default 300 seconds) and get removed
  • Broadcast/multicast traffic - Always flooded by design (FF:FF:FF:FF:FF:FF)
  • Network topology changes - MAC tables may need rebuilding after link failures

Vocabulary

Term Definition
MAC Address Table Switch’s database mapping MAC addresses to specific ports
Unknown Unicast Frame with destination MAC not in the switch’s address table
Aging Time Duration MAC entries remain in table without refresh (default 300s)
CAM Table Content Addressable Memory - hardware implementation of MAC table

Frame Flooding vs Other Traffic Types

Traffic Type Flooding Behavior Reason
Unknown Unicast Flooded until MAC learned Destination port unknown
Broadcast Always flooded Intended for all devices (FF:FF:FF:FF:FF:FF)
Multicast Flooded (unless IGMP snooping) Multiple intended recipients
Known Unicast Sent to specific port only MAC-to-port mapping exists

Security and Performance Implications

  • Excessive flooding can cause network congestion and security risks
  • Creates unnecessary traffic on all switch ports in the VLAN
  • Potential for MAC address table overflow attacks (flooding fake MACs to fill table)
  • Port security features can limit MAC addresses per port to prevent abuse
  • VLAN segmentation reduces flooding scope (frames only flood within same VLAN)

Real-World Example

  • New laptop connects to corporate switch Port 5
  • User opens web browser, generates traffic to gateway 00:AA:BB:CC:DD:EE
  • Switch doesn’t know gateway’s port location, floods frame to all 24 ports
  • Gateway (on Port 1) responds, switch learns 00:AA:BB:CC:DD:EE = Port 1
  • Subsequent frames to gateway go directly to Port 1 (no more flooding)

Notes

  • Frame flooding is normal switch behavior, not a malfunction - it ensures connectivity even without complete MAC knowledge
  • Modern switches can handle thousands of MAC addresses, but flooding still impacts performance on busy networks
  • Use show mac address-table to view learned MACs and identify potential flooding sources
  • Consider port security (switchport port-security) to limit MAC learning and prevent table overflow attacks
  • VLANs are critical - flooding is contained within VLAN boundaries, making network segmentation essential for large deployments
  • Remember: Switches flood unknown unicast, but routers drop packets to unknown networks - key behavioral difference between Layer 2 and Layer 3 devices