Switch Learning Vs. Switch Forwarding: Answer

By certskills May 9, 2014 09:05

Today’s post wraps up this latest sample #CCENT exam question. Answer is below the fold.

Relevant Links:

The Answers

B, C

The Explanation

First, the switch’s MAC table is empty.

Then, PC1 sends a frame, source MAC address 1111.1111.1111, arriving in port F0/1. As a result, the MAC table now lists PC1’s MAC off port F0/1. (We don’t care where this frame was forwarded, at least for this question).

Then, PC3 sends a frame, source of 3333.3333.3333, destination of PC2’s MAC. The frame arrives at the switch in port F0/3. So, the MAC table now lists PC3’s MAC off port F0/3.

The question asks: where does the switch forward this second frame, which has a destination address of 2222.2222.2222.

Per the MAC table at the instant the frame arrives, PC2’s MAC is not in the MAC table. So, the switch floods the frame.

In this case, flooding the frame in VLAN 1 means: forwarding out ports F0/1 and F0/2, but not out port F0/3, because the frame arrived in F0/3.

Switch Learning Vs. Switch Forwarding - Analysis
Switch Forwarding of Frame From Host to Gateway
By certskills May 9, 2014 09:05
Write a comment


  1. Anna August 26, 23:51

    Hi Wendell,

    Per my understanding, when the second frame arrives the MAC table already has PC1 and learned PC3 MAC (2 entries & ports )
    Can the switch filter and forward the frame only to PC2?
    If the PC1 entry expired in mac table, then flooding occurs and forwarding the frame to pc1 & pc2 sounds correct.
    If i see the similar question in the test, i will answer PC2 whatever port it’s connected to.


    Reply to this comment
    • CCENTSkills August 29, 10:38

      Hi Anna,
      On this specific question, because the switch has not learned PC2’s MAC yet, SW2 will flood that second frame. One key here is that learning happens based on the source MAC, and PC2 hasn’t yet sent a frame. So, that 2nd frame as referenced in the question, destined to PC2’s MAC address, would be flooded.

      Hope this helps,

      Reply to this comment
      • Anna August 29, 17:53

        Hi Wendell,
        I’m not sure if I’m getting the question.
        My assumption of the first frame was from PC1 to PC2
        (SW2 should flood the frame to PC3 & PC2, but don’t care), however I assume that SW2 learned PC1 MAC.
        Second frame is PC3 to PC2.
        So when the switch received the 2nd frame, SW2 learned PC3, (SW2 MAC table=PC1 + PC3).
        so why would 2nd frame be flooded if SW2 has 2 entries?
        If my assumptions are correct,
        yes the frame will be send out to PC2. but why to B?

        Thanks again for your response.

        Reply to this comment
        • CCENTSkills August 30, 10:49

          Hi Anna,
          Couple of ideas that might connect the dots.

          Yep, I agree, maybe a thorough read of the question would help. You stated that you assumed what the first frame was from PC1 to PC2, but the question states it was from PC1 to PC3. However, that mistaken assumption actually would not change the answer…

          Your further comments are 100% correct until you ask the question “so why would the 2nd frame be flooded”. You stated the exact reasons why above that line. Why?

          The mac table lists PC1 and PC3, but not PC2
          The 2nd frame has a destination MAC of PC2’s MAC
          Therefore, the switch’s forwarding logic does NOT match an entry in the MAC table…
          So the switch floods the frame.

          Does that connect it all? If not, maybe drawing the frames with source and destination MAC addresses?

          Reply to this comment
          • Anna August 30, 17:28

            Hi Wendell,
            Thank you very much for taking time answering my questions.
            I am learning a lot on this blog.
            I went back to your book (CCENT/CCNA) and read that switch can either flood or filter (not forward) the frame..
            So, now I see..
            Maybe cisco can create another rule for switch, by send ing the frame only to the port/ports not listed in the mac table instead of flooding it.


  2. Rade March 2, 02:43

    Hi Wendell,

    could you please clarify once more this situation as i am totally confused?

    I understand that SW will flood the frame in case PC3 sends to PC2 and SW doesn’t know PC2 MAC. This is all clear in situation SW does not know PC2 MAC.

    But why SW did not flood frame and learn PC2 MAC for the first time, when PC1 sends the frame to 2222.2222.2222 which is PC2 MAC?


    Reply to this comment
    • CCENTSkills March 2, 06:53

      Hi Rade,
      Sure. The reason is that learning is based on the source MAC. So, that frame sent “from” aka source MAC of PC1, sent “to” destination MAC of PC2’s MAC, causes the switch to learn PC1’s MAC. It doesn’t cause the switch to learn PC2’s MAC. PC2 has to send aka be the source MAC of a frame before the switch would learn PC2’s MAC.

      Reply to this comment
      • Jo Moreno June 5, 21:27

        I’ll admit that I misunderstood the first step which is to not assume a reply occurred from PC2 on this scenario before PC3 sent it’s frame into the switch. However, the answer “B” is incorrect because the switch already knows PC 1’s address. The question asks about something that occurs when the 2nd frame is processed which means the MAC learning that occurred from the first frame would rule out B as an answer. I love that I have the ability now to critically think about the answers provided on this post! CCNA 200-301 was excellently written and has solidified the once shaky understanding I had of networking from previous undergrad studies and certification study resources. Thank you for this wonderful study material!

        Reply to this comment
        • certskills Author June 16, 17:14

          Hi Jo,
          Thanks much for the kind words! Great to hear the books have been a help!
          On answer B… it is correct, by the way. The logic on that second frame is “I do not see the destination MAC in the MAC table, so flood out all other ports in the VLAN.” The presence of a learned MAC address on port F0/1 does not prevent the switch from flooding the frame out that port. EG, another switch could exist off that port, so that the switch would need to flood the frame so it can reach the destination (assuming it was on that presumptive switch connected to port F0/1.) Hope this helps…

          Reply to this comment
  3. bavthethy April 26, 16:35

    Hi Wendell,

    I’ve just gone through this question and appeared to have stumbled at the same hurdle as others, and I think I can see why.

    First of all in the Cisco press book in chapter 7 it says “The idea is simple:if you do not know where to send it, send it everywhere, to deliver the frame. And, by theway, that device will likely then send a reply—and then the switch can learn that device’s MAC address, and forward future frames out one port as a known unicast frame.”

    Going back to the question, the 1st frame is from PC1 to MAC 2222.2222.2222 (the MAC of PC2). SW1 will learn PC1’s MAC but then at that point if the above course text extract is taken literally then the SW should flood the frame out Fa0/2 and Fa0/3 in an attempt to learn the MAC of PC2. PC2 should then reply to the SW (again as per the course text) and in the process SW will learn the MAC address for PC2.

    After reading your explanation a few times I can see that the question is subtely wording such that that the 2nd frame is sent right after the 1st frame. But again I don’t follow why the switch chooses to flood after the 2nd frame, but not the 1st frame given they are both destined for 2222.2222.2222. Why does SW choose to flood after frame 2 but not frame 2?

    I’m wondering if maybe your question is wrong and the 1st frame should actually be going to 3333.3333.3333, as you also mentioned in answer to Anna that PC1 is actually sending a frame to PC3. The question clearly says 2222.2222.2222, which is the MAC of PC2, not PC3.

    Is that right? In your answer you’ve said for the 1st frame “We don’t care where this frame was forwarded, at least for this question”, but you’ve listed the same MAC (2222.2222.2222) as where the 2nd frame was addressed to, so I think that changes things.

    Can you confirm please?

    Reply to this comment
    • CCENTSkills April 27, 07:33

      Thanks for the note.
      I lost you on your 3rd paragraph, which ends with “why does SW choose to flood after frame 2 but not frame 2?” But let me take a guess.

      The question spells out the first two frames, in the order they occur. While I agree that if frame 1 is received by PC2, that if PC2 is up and working, that PC2 will probably make a reply. However, that reply isn’t the 2nd frame in the scenario. I think that might be where your analysis differs from the question.
      Instead, taken as literally stated in the question:
      frame 1 is sent, destination PC2. PC2’s MAC isn’t in the switch’s MAC table, so the switch floods the frame.
      frame 2 is sent, destination PC2. PC2’s MAC isn’t in the switch’s MAC table, so the switch floods the frame.

      Make sense?

      If instead the question had listed frame 2 as the reply from PC2 (source) to PC1 (destination), then it’s a difference answer, because the switch learned an entry for PC1’s MAC as a side effect of frame 1.

      Hope this helps,

      Reply to this comment
      • bavthethy April 27, 08:46

        Exactly. I was taking the question literally and assuming that frame 1 would be flooded, resulting in PC2 replying and then the switch knowing about the PC2 MAC, which is why the answer confused me. I assumed that because the book talks about in that scenario and says the device would usually reply.

        Reply to this comment
  4. Sunny June 18, 03:32

    how could we understand when we care forwarding of a frame and when we don’t?

    Reply to this comment
  5. Nathanoj December 5, 12:44

    Why would the switch flood the frame to fa0/1 if SW1 already knows that Fa0/1 has a device with a mac address of 1111.1111.1111

    I wonder it is because you can connect more than one device in one of the switch ports? Am I correct? BTW thank you of showing how such easy looking problem is harder than it appears.

    Reply to this comment
    • CCENTSkills December 18, 10:30

      Your last comment first – that’s exactly the kind of thing people miss, but don’t even know they missed it. Those are hard to uncover and learn – and precisely why I ask these kinds of problems!

      To your initial question, I’d say that’s the motivation. EG, that link could be connected to another switch even, or to another switch which connects to countless switches with countless devices with different MACs. The literal reason is that the logic doesn’t include a check for “are other MAC’s known” – but as you rightly noted, the underlying reason is that we need to flood out those links anyway, just in case the device using that MAC is out there somewhere.

      Reply to this comment
  6. Thorsama October 9, 04:48

    Sneaky question indeed, many would assume that PC2 replies to the first frame (myself included), and as such the switch would hold the MAC address in its mac address table.

    This is not explicitly written tho, so the second frame also destined to PC2 will be flooded.

    Reformulating the question to be more obvious would help many answer it correctly. However I think the point of the question is to get you analysing/thinking, which is probbably worth more than answering the question correctly.

    Reply to this comment
    • CCENTSkills October 24, 10:39

      I agree that learning is far more important than getting a question right when practicing. That said, I could improve the question enough so it’s clear that while PC2 will reply to PC1, timing-wise, maybe the frame sent by PC3 arrived before PC2 replied. Contrived of course, but makes the point.

      Reply to this comment
  7. Austin June 25, 15:51

    Im not sure if this has already been suggest, (by the way love this content), but it would helpful if you posted the topology in the answer as well!

    that’s all!

    Reply to this comment
  8. Austin June 25, 15:54

    So we are to assume that PC2 did not reply to PC1s frame before PC3 sent it’s frame. Correct?

    Reply to this comment
    • certskills Author June 26, 11:06

      Austin – yes. Admittedly contrived, but hopefully for a good purpose. 🙂

      Reply to this comment
      • Zuhail September 30, 22:52

        I get it , why so many Wendell’s fans (including me) are getting confused here , we’re confusing this with an arp broadcast cuz in that case the intended recipient sends a *packet* backt tell it’s own Mac address (because that’s the whole purpose of Arp) but for a simple frame forwarding , a switch just flood the frame out all interfaces except one obviously, it doesn’t matter if PC2 replied us back or not, at all!
        I really love Cisco certification tracks and I hope to work there one day !

        Reply to this comment
  9. kutay October 25, 02:04

    After ARP request from PC1 something bad must have happened to the switch, otherwise the mac table wouldn’t be empty 😀

    Reply to this comment
  10. Picard May 30, 18:41

    Hello Wendell,‎

    I hope all is well.‎

    I am slightly confused by the answer. Just to double check switches builds their MAC Address ‎table/ Learns by source mac addresses. I know they can learn/build their MAC address tables from ‎other switches. However, for the sake of this question, I will limit it to just by source MAC ‎addresses.‎

    You stated:‎

    The PC1 creates and sends a frame with a destination address of 2222.2222.2222.‎

    At that point the switch learns that:‎
    Source MAC address is 1111.1111.1111 and it’s port is fa0/1 and it makes this entry into it’s mac ‎address table.

    Since the switch doesn’t know the destination mac address it will flood all the ports apart from ‎fa0/1‎
    This will cause PC 2 to receive the frame BUT HAS NOT RESPONDED in which case the switch will not ‎make an entry for pc 2 and its MAC ADDRESS.‎

    The you said:

    Then PC3 creates and sends a frame destined for PC2’s MAC address of 2222.2222.2222‎

    At that point:

    It learns (like I said it Learns by source mac address) that PC3 its MAC Address is 3333.3333.33333 ‎and its port is FA0/3.‎

    Now that the switch needs to forward the frame to 2222.2222.2222. but doesn’t knowwhere it lies ‎but it KNOWS PC1’s MAC address of 1111.1111.1111and its port is fa0/1 and PC3 and it’s MAC ‎address 3333.3333.33333 and its port is FA0/3.‎

    This only leaves port FA0/2‎

    Reply to this comment
    • Chris June 1, 11:11

      Hello Captain!
      A switch forwards or floods based on the entries in the MAC address table.
      The switch does not filter based on those entries.
      The switch receives a frame and enters the source MAC address into the MAC address table.
      Then the switch compares the destination MAC address in the frame to the entries in the MAC address table. If there is a match the frame is forwarded out the correct port only.
      If none of the entries in the MAC address table match the destination MAC address in the frame, the switch floods the frame out all ports except the port the frame arrived on.
      It is possible to have more than 1 host connected to a port on a switch. There could be another switch on that port with many more hosts connected to it’s ports.

      Reply to this comment
    • certskills Author June 1, 12:31

      Hi Picard,
      What Chris wrote, plus:
      I think your logic is good until what I think you meant by your last two paragraphs. It’s a common mistake. I’m agree that:
      -Switch has entry for PC1 out F0/1
      -Switch has entry for PC3 out F0/3
      -Switch needs to forward frame to PC2; frame arrived on F0/3
      The logic is “flood out other ports”, which means F0/1 and F0/2.
      You appear to be applying logic like “switch already knows of an address on F0/1, so I can’t forward out that port”, which isn’t part of the switch’s logic. It is simply “if destination is not matched, flood the frame”.
      Hope this helps,

      Reply to this comment
  11. imaximumax June 30, 04:21

    After PC1 sends the first frame which will be flooded , 2 MAC addresses will be added to the SW1 table .

    PC1 MAC address = Because this is the port where the first frame came from

    PC2 MAC address = Because when there is a flood of frames we expect an answer from all the PCs to respond if the the frame was for them or not . And in this case , normally PC2 should answer with “Yes , this frame was for me ” which will result in the switch learning its MAC address .

    So , when the second frame from PC3 reaches the SW1 , we already got the addresses of PC1 and PC2 , and the only address that will be added to the MAC table is PC3 MAC address .

    And the SW1 is aware of all devices in the LAN , which means the only answer is C .

    Reply to this comment
  12. Almeida October 1, 15:46

    Hi Wendell,
    I’ve been reading some comments, and I guess we are confusing ourselves because we have the concept that when a frame is sent by a host(PC1), the receiving host(PC2) replies back and then creating another table entry. I agree with the answers given. But it would be more clear to specify that PC2 does not reply back to the frame sent.

    Thank you.

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.