Switch Learning Vs. Switch Forwarding: Answer

certskills
By certskills May 9, 2014 09:05

Today’s post wraps up this latest sample #CCENT exam question. Answer is below the fold.

Relevant Links:

The Answers

B, C

The Explanation

First, the switch’s MAC table is empty.

Then, PC1 sends a frame, source MAC address 1111.1111.1111, arriving in port F0/1. As a result, the MAC table now lists PC1’s MAC off port F0/1. (We don’t care where this frame was forwarded, at least for this question).

Then, PC3 sends a frame, source of 3333.3333.3333, destination of PC2’s MAC. The frame arrives at the switch in port F0/3. So, the MAC table now lists PC3’s MAC off port F0/3.

The question asks: where does the switch forward this second frame, which has a destination address of 2222.2222.2222.

Per the MAC table at the instant the frame arrives, PC2’s MAC is not in the MAC table. So, the switch floods the frame.

In this case, flooding the frame in VLAN 1 means: forwarding out ports F0/1 and F0/2, but not out port F0/3, because the frame arrived in F0/3.

Switch Learning Vs. Switch Forwarding - Analysis
Switch Forwarding of Frame From Host to Gateway
certskills
By certskills May 9, 2014 09:05
Write a comment

36 Comments

  1. Anna August 26, 23:51

    Hi Wendell,

    Per my understanding, when the second frame arrives the MAC table already has PC1 and learned PC3 MAC (2 entries & ports )
    Can the switch filter and forward the frame only to PC2?
    If the PC1 entry expired in mac table, then flooding occurs and forwarding the frame to pc1 & pc2 sounds correct.
    If i see the similar question in the test, i will answer PC2 whatever port it’s connected to.

    Thanks,
    Anna

    Reply to this comment
    • CCENTSkills August 29, 10:38

      Hi Anna,
      On this specific question, because the switch has not learned PC2’s MAC yet, SW2 will flood that second frame. One key here is that learning happens based on the source MAC, and PC2 hasn’t yet sent a frame. So, that 2nd frame as referenced in the question, destined to PC2’s MAC address, would be flooded.

      Hope this helps,
      Wendell

      Reply to this comment
      • Anna August 29, 17:53

        Hi Wendell,
        I’m not sure if I’m getting the question.
        My assumption of the first frame was from PC1 to PC2
        (SW2 should flood the frame to PC3 & PC2, but don’t care), however I assume that SW2 learned PC1 MAC.
        Second frame is PC3 to PC2.
        So when the switch received the 2nd frame, SW2 learned PC3, (SW2 MAC table=PC1 + PC3).
        so why would 2nd frame be flooded if SW2 has 2 entries?
        If my assumptions are correct,
        yes the frame will be send out to PC2. but why to B?

        Thanks again for your response.
        Anna

        Reply to this comment
        • CCENTSkills August 30, 10:49

          Hi Anna,
          Couple of ideas that might connect the dots.

          Yep, I agree, maybe a thorough read of the question would help. You stated that you assumed what the first frame was from PC1 to PC2, but the question states it was from PC1 to PC3. However, that mistaken assumption actually would not change the answer…

          Your further comments are 100% correct until you ask the question “so why would the 2nd frame be flooded”. You stated the exact reasons why above that line. Why?

          The mac table lists PC1 and PC3, but not PC2
          The 2nd frame has a destination MAC of PC2’s MAC
          Therefore, the switch’s forwarding logic does NOT match an entry in the MAC table…
          So the switch floods the frame.

          Does that connect it all? If not, maybe drawing the frames with source and destination MAC addresses?

          Reply to this comment
          • Anna August 30, 17:28

            Hi Wendell,
            Thank you very much for taking time answering my questions.
            I am learning a lot on this blog.
            I went back to your book (CCENT/CCNA) and read that switch can either flood or filter (not forward) the frame..
            So, now I see..
            Maybe cisco can create another rule for switch, by send ing the frame only to the port/ports not listed in the mac table instead of flooding it.

            Thanks,
            Anna

  2. Rade March 2, 02:43

    Hi Wendell,

    could you please clarify once more this situation as i am totally confused?

    I understand that SW will flood the frame in case PC3 sends to PC2 and SW doesn’t know PC2 MAC. This is all clear in situation SW does not know PC2 MAC.

    But why SW did not flood frame and learn PC2 MAC for the first time, when PC1 sends the frame to 2222.2222.2222 which is PC2 MAC?

    Thanks
    Rade

    Reply to this comment
    • CCENTSkills March 2, 06:53

      Hi Rade,
      Sure. The reason is that learning is based on the source MAC. So, that frame sent “from” aka source MAC of PC1, sent “to” destination MAC of PC2’s MAC, causes the switch to learn PC1’s MAC. It doesn’t cause the switch to learn PC2’s MAC. PC2 has to send aka be the source MAC of a frame before the switch would learn PC2’s MAC.
      Wendell

      Reply to this comment
      • Jo Moreno June 5, 21:27

        I’ll admit that I misunderstood the first step which is to not assume a reply occurred from PC2 on this scenario before PC3 sent it’s frame into the switch. However, the answer “B” is incorrect because the switch already knows PC 1’s address. The question asks about something that occurs when the 2nd frame is processed which means the MAC learning that occurred from the first frame would rule out B as an answer. I love that I have the ability now to critically think about the answers provided on this post! CCNA 200-301 was excellently written and has solidified the once shaky understanding I had of networking from previous undergrad studies and certification study resources. Thank you for this wonderful study material!

        Reply to this comment
        • certskills Author June 16, 17:14

          Hi Jo,
          Thanks much for the kind words! Great to hear the books have been a help!
          On answer B… it is correct, by the way. The logic on that second frame is “I do not see the destination MAC in the MAC table, so flood out all other ports in the VLAN.” The presence of a learned MAC address on port F0/1 does not prevent the switch from flooding the frame out that port. EG, another switch could exist off that port, so that the switch would need to flood the frame so it can reach the destination (assuming it was on that presumptive switch connected to port F0/1.) Hope this helps…

          Reply to this comment
  3. bavthethy April 26, 16:35

    Hi Wendell,

    I’ve just gone through this question and appeared to have stumbled at the same hurdle as others, and I think I can see why.

    First of all in the Cisco press book in chapter 7 it says “The idea is simple:if you do not know where to send it, send it everywhere, to deliver the frame. And, by theway, that device will likely then send a reply—and then the switch can learn that device’s MAC address, and forward future frames out one port as a known unicast frame.”

    Going back to the question, the 1st frame is from PC1 to MAC 2222.2222.2222 (the MAC of PC2). SW1 will learn PC1’s MAC but then at that point if the above course text extract is taken literally then the SW should flood the frame out Fa0/2 and Fa0/3 in an attempt to learn the MAC of PC2. PC2 should then reply to the SW (again as per the course text) and in the process SW will learn the MAC address for PC2.

    After reading your explanation a few times I can see that the question is subtely wording such that that the 2nd frame is sent right after the 1st frame. But again I don’t follow why the switch chooses to flood after the 2nd frame, but not the 1st frame given they are both destined for 2222.2222.2222. Why does SW choose to flood after frame 2 but not frame 2?

    I’m wondering if maybe your question is wrong and the 1st frame should actually be going to 3333.3333.3333, as you also mentioned in answer to Anna that PC1 is actually sending a frame to PC3. The question clearly says 2222.2222.2222, which is the MAC of PC2, not PC3.

    Is that right? In your answer you’ve said for the 1st frame “We don’t care where this frame was forwarded, at least for this question”, but you’ve listed the same MAC (2222.2222.2222) as where the 2nd frame was addressed to, so I think that changes things.

    Can you confirm please?

    Reply to this comment
    • CCENTSkills April 27, 07:33

      Hi,
      Thanks for the note.
      I lost you on your 3rd paragraph, which ends with “why does SW choose to flood after frame 2 but not frame 2?” But let me take a guess.

      The question spells out the first two frames, in the order they occur. While I agree that if frame 1 is received by PC2, that if PC2 is up and working, that PC2 will probably make a reply. However, that reply isn’t the 2nd frame in the scenario. I think that might be where your analysis differs from the question.
      Instead, taken as literally stated in the question:
      frame 1 is sent, destination PC2. PC2’s MAC isn’t in the switch’s MAC table, so the switch floods the frame.
      frame 2 is sent, destination PC2. PC2’s MAC isn’t in the switch’s MAC table, so the switch floods the frame.

      Make sense?

      If instead the question had listed frame 2 as the reply from PC2 (source) to PC1 (destination), then it’s a difference answer, because the switch learned an entry for PC1’s MAC as a side effect of frame 1.

      Hope this helps,
      Wendell

      Reply to this comment
      • bavthethy April 27, 08:46

        Exactly. I was taking the question literally and assuming that frame 1 would be flooded, resulting in PC2 replying and then the switch knowing about the PC2 MAC, which is why the answer confused me. I assumed that because the book talks about in that scenario and says the device would usually reply.

        Reply to this comment
  4. Sunny June 18, 03:32

    how could we understand when we care forwarding of a frame and when we don’t?

    Reply to this comment
  5. Nathanoj December 5, 12:44

    Why would the switch flood the frame to fa0/1 if SW1 already knows that Fa0/1 has a device with a mac address of 1111.1111.1111

    I wonder it is because you can connect more than one device in one of the switch ports? Am I correct? BTW thank you of showing how such easy looking problem is harder than it appears.

    Reply to this comment
    • CCENTSkills December 18, 10:30

      Nathan,
      Your last comment first – that’s exactly the kind of thing people miss, but don’t even know they missed it. Those are hard to uncover and learn – and precisely why I ask these kinds of problems!

      To your initial question, I’d say that’s the motivation. EG, that link could be connected to another switch even, or to another switch which connects to countless switches with countless devices with different MACs. The literal reason is that the logic doesn’t include a check for “are other MAC’s known” – but as you rightly noted, the underlying reason is that we need to flood out those links anyway, just in case the device using that MAC is out there somewhere.
      Wendell

      Reply to this comment
  6. Thorsama October 9, 04:48

    Sneaky question indeed, many would assume that PC2 replies to the first frame (myself included), and as such the switch would hold the MAC address in its mac address table.

    This is not explicitly written tho, so the second frame also destined to PC2 will be flooded.

    Reformulating the question to be more obvious would help many answer it correctly. However I think the point of the question is to get you analysing/thinking, which is probbably worth more than answering the question correctly.

    Reply to this comment
    • CCENTSkills October 24, 10:39

      Thorsama,
      I agree that learning is far more important than getting a question right when practicing. That said, I could improve the question enough so it’s clear that while PC2 will reply to PC1, timing-wise, maybe the frame sent by PC3 arrived before PC2 replied. Contrived of course, but makes the point.
      Thanks,
      Wendell

      Reply to this comment
  7. Austin June 25, 15:51

    Im not sure if this has already been suggest, (by the way love this content), but it would helpful if you posted the topology in the answer as well!

    that’s all!

    Reply to this comment
  8. Austin June 25, 15:54

    So we are to assume that PC2 did not reply to PC1s frame before PC3 sent it’s frame. Correct?

    Reply to this comment
    • certskills Author June 26, 11:06

      Austin – yes. Admittedly contrived, but hopefully for a good purpose. 🙂
      Wendell

      Reply to this comment
      • Zuhail September 30, 22:52

        I get it , why so many Wendell’s fans (including me) are getting confused here , we’re confusing this with an arp broadcast cuz in that case the intended recipient sends a *packet* backt tell it’s own Mac address (because that’s the whole purpose of Arp) but for a simple frame forwarding , a switch just flood the frame out all interfaces except one obviously, it doesn’t matter if PC2 replied us back or not, at all!
        THANKS SO MUCH FOR BRUSHING UP MY SKILLS .
        I really love Cisco certification tracks and I hope to work there one day !

        Reply to this comment
  9. kutay October 25, 02:04

    After ARP request from PC1 something bad must have happened to the switch, otherwise the mac table wouldn’t be empty 😀

    Reply to this comment
  10. Picard May 30, 18:41

    Hello Wendell,‎

    I hope all is well.‎

    I am slightly confused by the answer. Just to double check switches builds their MAC Address ‎table/ Learns by source mac addresses. I know they can learn/build their MAC address tables from ‎other switches. However, for the sake of this question, I will limit it to just by source MAC ‎addresses.‎

    You stated:‎

    The PC1 creates and sends a frame with a destination address of 2222.2222.2222.‎

    At that point the switch learns that:‎
    Source MAC address is 1111.1111.1111 and it’s port is fa0/1 and it makes this entry into it’s mac ‎address table.

    Since the switch doesn’t know the destination mac address it will flood all the ports apart from ‎fa0/1‎
    This will cause PC 2 to receive the frame BUT HAS NOT RESPONDED in which case the switch will not ‎make an entry for pc 2 and its MAC ADDRESS.‎

    The you said:

    Then PC3 creates and sends a frame destined for PC2’s MAC address of 2222.2222.2222‎

    At that point:

    It learns (like I said it Learns by source mac address) that PC3 its MAC Address is 3333.3333.33333 ‎and its port is FA0/3.‎

    Now that the switch needs to forward the frame to 2222.2222.2222. but doesn’t knowwhere it lies ‎but it KNOWS PC1’s MAC address of 1111.1111.1111and its port is fa0/1 and PC3 and it’s MAC ‎address 3333.3333.33333 and its port is FA0/3.‎

    This only leaves port FA0/2‎

    Reply to this comment
    • Chris June 1, 11:11

      Hello Captain!
      A switch forwards or floods based on the entries in the MAC address table.
      The switch does not filter based on those entries.
      The switch receives a frame and enters the source MAC address into the MAC address table.
      Then the switch compares the destination MAC address in the frame to the entries in the MAC address table. If there is a match the frame is forwarded out the correct port only.
      If none of the entries in the MAC address table match the destination MAC address in the frame, the switch floods the frame out all ports except the port the frame arrived on.
      It is possible to have more than 1 host connected to a port on a switch. There could be another switch on that port with many more hosts connected to it’s ports.

      Reply to this comment
    • certskills Author June 1, 12:31

      Hi Picard,
      What Chris wrote, plus:
      I think your logic is good until what I think you meant by your last two paragraphs. It’s a common mistake. I’m agree that:
      -Switch has entry for PC1 out F0/1
      -Switch has entry for PC3 out F0/3
      -Switch needs to forward frame to PC2; frame arrived on F0/3
      The logic is “flood out other ports”, which means F0/1 and F0/2.
      You appear to be applying logic like “switch already knows of an address on F0/1, so I can’t forward out that port”, which isn’t part of the switch’s logic. It is simply “if destination is not matched, flood the frame”.
      Hope this helps,
      Wendell

      Reply to this comment
  11. imaximumax June 30, 04:21

    After PC1 sends the first frame which will be flooded , 2 MAC addresses will be added to the SW1 table .

    PC1 MAC address = Because this is the port where the first frame came from

    PC2 MAC address = Because when there is a flood of frames we expect an answer from all the PCs to respond if the the frame was for them or not . And in this case , normally PC2 should answer with “Yes , this frame was for me ” which will result in the switch learning its MAC address .

    So , when the second frame from PC3 reaches the SW1 , we already got the addresses of PC1 and PC2 , and the only address that will be added to the MAC table is PC3 MAC address .

    And the SW1 is aware of all devices in the LAN , which means the only answer is C .

    Reply to this comment
  12. Almeida October 1, 15:46

    Hi Wendell,
    I’ve been reading some comments, and I guess we are confusing ourselves because we have the concept that when a frame is sent by a host(PC1), the receiving host(PC2) replies back and then creating another table entry. I agree with the answers given. But it would be more clear to specify that PC2 does not reply back to the frame sent.

    Thank you.

    Reply to this comment
  13. brahooke July 7, 21:34

    Wendell, this question really showed how difficult it must be for the CCNA committee to write exam questions and to word it to not be interpreted in the wrong way. Like many people on here I only chose answer C and did not think B would also be included. I thought that ICMP replies from PC2 would update the switches MAC table for 1111.1111.1111 after the first frame was switched between the two hosts. Does the CCNA ask questions like you ended this one with (Select all answers that are correct)? I hope it is easier and would only say (choose two correct answers). Then I would have deduced the only other answer could be B because A and D are clearly wrong. Again great question that really makes you think. I was glad to get it wrong because I learned the lesson of wording tricks that might be the reason between a pass and a fail on exam day.

    Reply to this comment
    • brahooke July 8, 15:38

      Sorry, ICMP is layer 3. I’m still learning. I don’t know what to call layer 2 replies. Maybe ARP? When I use physical switch the MAC table populates just by connecting to it so I get confused with the whole replying thing and when the switch learns. Is it either a link status after a given amount of time or a frame movement that the switch knows the MAC address?

      Reply to this comment
      • certskills Author July 15, 09:44

        On your question that begins “Sorry, ICMP…”
        I don’t know what you mean by layer 2 replies, either. I think instead, think about what the user is doing at higher layers, and then think: eventually, that will result in the host sending an Ethernet frame. EG, the user opens a browser and types in a URI, eg http://www.certskills.com. HTTP builds an HTTP GET request, but first needs to ask TCP to create a TCP connection. TCP on the host initiates a TCP Connection, meaning it must ask IP to send a packet. IP may need to perform name resolution, or not, depending on whether http://www.certskills.com is already in the host’s name cache or not. If already there, IP can send the packet to the server (if in the same subnet) or to the default gateway. In either case, the IP protocol on the host checks the ARP cache to make sure it has a matching entry, and if not, ARPs to learn the right entry. Once that ARP entry exists, the host can send the IP packet that holds the first TCP segment (which begins the TCP connection)… which is encapsulated in an Ethernet frame. Whew.

        Maybe you’re thinking “some bit of layer 2 logic must kick in to cause a reply”. In reality, it’s user or app actions that cascade into causing stuff like the above. At the tail end of it all, MAC learning is a very simple and easy thing – every incoming Ethernet frame, look at the source MAC and add/update the MAC table.

        Hope this helps.

        Reply to this comment
    • certskills Author July 15, 09:37

      Brahooke,
      Just to put some reality to it, and probably give you good reason to relax, I wouldn’t worry so much about question wording on the real exam. For practice questions, I try to make them clear, but for the blog, I also rely on the fact that they are easy to message about and change. So, less scrutiny from me up front. Also, Cisco exams tend to have concise, well worded, well reviewed questions. Also, Cisco exams always tell you how many correct answers to choose, and even will not let you choose too many (ever) or too few (unless you ignore theirwarnings to finish answering.)
      For this blog, in particular, I’d rather ask a little longer question like this that makes you think about something and explore so that you get a deeper understanding. I agree this question is a little confusing. But I also think it’s a good chance to get people to slow down and think about the steps and avoid jumping to assumptions rather than scanning for what’s stated.

      Reply to this comment
  14. GJM November 3, 23:45

    I think I understand what you have gone over and replied to everyone in varying ways (the same answer) at least a dozen times.

    You ask us to read the question and interpret it literally. As in you did not state that PC2 replied to the first frame. So not to assume that PC2 replied to the original flooding of the packet.

    The question only states that PC1 and PC3 have sent frames so that the switch only knows of those 2 MAC’s/incoming interfaces.

    I guess I dont fully understand the switches logic if it already knows there is a MAC/IP/Host connected to fa0/1 why would it send/flood the frame there.

    Reply to this comment
    • Wendell Odom November 4, 18:58

      GJM,
      Yeah, honestly, if I had unlimited time to devote to the blog, I’d probably try and make questions like this a little less literal. It’s my nature to think literally, moreso than most, and it’s probably a little unfair as written. That said, as long as you work through it and understand, learn something, it’s still useful, so I keep it around.
      You closed with a comment to say you don’t understand something. So… On that: The short version is that switches can and do learn more than one MAC address on a port sometimes. So, the switches just don’t have logic as you describe, what I would summarize as “since I know 1 MAC on a port, don’t flood out that port.” It’s just not what they do.
      When would a switch learn multiple MACs on a port? On any port connected to another switch. So you’re probably thinking about the case of a switch connected to an end-user device, just one device, so we know it will learn only one MAC there. But connect two switches, say SW1 and SW2, with a bunch of end-user devices connected to each, and the interface on SW1 that connects to SW2 will eventually learn all the MACs off SW2, and vice versa. As an example.
      Hope that helps,
      Wendell

      Reply to this comment
      • GJM November 4, 19:13

        I thought about it some more after working through the other labs/scenarios for this chapter late last night on this blog and it made more sense at the end. The way I’m understanding it now which is basically what you said – the switch is going to flood the packet for any unknown mac address. Regardless if it already learned of 1 mac on a particular port. I guess the logic is that the switch has no idea if there is a switch with multiple devices on that single port like you said.

        Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories