Imagine joining a new company where you know no one. On your first day, you don't have a directory of names and desk locations. But as colleagues introduce themselves, you gradually build a mental map: "Sarah sits near the window, Mike is in the corner office, the accounting team is on the third floor."

Network bridges face exactly this challenge—but they must solve it completely automatically, without any human intervention. When a bridge powers on, its forwarding database is empty. It knows nothing about which MAC addresses are reachable through which ports. Yet within seconds of network activity beginning, the bridge builds an accurate map of the network topology.

This remarkable capability is called MAC address learning, and it's one of the foundational technologies that makes modern Ethernet networks practical and scalable.

The MAC address learning algorithm is elegantly simple, yet remarkably effective. Every frame that arrives at a bridge carries information about the network topology: the source MAC address tells the bridge which device sent the frame, and the receiving port tells the bridge which direction that device is located.

The Fundamental Insight

Consider this: if a frame with source address AA:BB:CC:11:22:33 arrives on Port 1, then the device with that MAC address must be reachable through Port 1. The bridge can confidently add this information to its forwarding database. Later, when a frame arrives with destination AA:BB:CC:11:22:33, the bridge knows to forward it through Port 1.

This learning happens passively—the bridge doesn't need to send any special frames or request information from hosts. It simply observes normal network traffic and extracts topology information.

Step-by-Step Learning Process

When a frame arrives at a bridge port, the learning process follows these exact steps:

Step 1: Extract Source MAC Address

The bridge reads the 6-byte source MAC address field from the frame header. This address identifies the device that transmitted the frame.

Step 2: Search Forwarding Database

The bridge searches its forwarding database for an existing entry matching this source MAC address.

Step 3: Update or Create Entry

Three outcomes are possible:

Case A: No Entry Exists

Create a new entry associating the MAC address with the receiving port. Initialize the aging timer for this entry.

Case B: Entry Exists with Same Port

The device hasn't moved. Simply reset the aging timer to indicate the address is still active.

Case C: Entry Exists with Different Port

The device has moved to a different segment. Update the entry to reflect the new port and reset the aging timer. This situation is called a MAC move and is important for understanding dynamic topologies.

The forwarding database (FDB), also called the MAC address table or CAM table (Content Addressable Memory), is the data structure at the heart of bridge operation. Its design directly impacts lookup performance, scalability, and functionality.

Entry Components

Each entry in the forwarding database contains:

1. MAC Address (48 bits): The unique hardware address of a network interface
2. Port Number: Which bridge port leads to this MAC address
3. Age/Timestamp: When the entry was last refreshed (for aging)
4. Entry Type: Dynamic (learned) or Static (manually configured)
5. VLAN ID (in VLAN-aware bridges): Which VLAN this entry applies to
6. Flags: Additional status information (e.g., multicast, blacklisted)

Implementation with Content Addressable Memory (CAM)

For hardware-based switches, the forwarding database is typically implemented using CAM or TCAM (Ternary CAM):

Binary CAM

Binary CAM allows searching by exact match in constant time O(1). The hardware compares the search key (destination MAC address) against all stored addresses simultaneously in a single clock cycle.

• All entries are compared in parallel
• Match found in 1 clock cycle (typically 5-15 ns)
• Very fast but power-hungry and expensive
• Typical capacity: 16K - 512K entries

Hash Table Alternative

Software bridges and some hardware implementations use hash tables:

• Hash the MAC address to get a bucket index
• Search within the bucket (typically small)
• Average case O(1), worst case O(n) if poorly designed
• More flexible and cost-effective
• Common in software switches and low-cost hardware

While the basic learning algorithm is straightforward, several real-world scenarios require careful handling.

Scenario 1: Network Bootstrap (Cold Start)

When a bridge first powers on or reboots:

• The forwarding database is completely empty
• All frames are flooded (no learned destinations)
• Network appears to work, but bandwidth is wasted
• Traffic patterns cause rapid learning
• Within seconds, most active addresses are learned
• Flooding rate decreases as table populates

This is why bridges work immediately after power-on, even without configuration. The flooding behavior ensures packets are delivered while learning catch-up occurs.

Scenario 3: Duplicate MAC Addresses

While MAC addresses are supposed to be globally unique, duplicates can occur:

• Manufacturing defects or counterfeiting
• Virtual machine cloning without MAC regeneration
• Malicious MAC spoofing attacks
• Legacy systems with configurable MACs

When duplicates exist, the bridge will continuously "flap" the entry between ports as traffic arrives from both locations. This causes:

• Some traffic to be misdirected
• Excessive CPU load from constant table updates
• Log spam from MAC move notifications
• Network instability for both duplicate devices

Most switches detect rapid MAC flapping and can take action (logging, port shutdown, notification).

Scenario 4: Multicast and Broadcast Addresses

Special addresses require special handling:

Broadcast (FF:FF:FF:FF:FF:FF)

Broadcast addresses are never learned because:

• They don't identify a specific source device
• Learning them would create a nonsensical entry
• Broadcasts are always flooded by design

Multicast (01:xx:xx:xx:xx:xx)

Multicast addresses have the group bit set (LSB of first byte = 1). Basic handling:

• Never learned (no single source location)
• Flooded like unknown unicast
• With IGMP snooping, forwarded only to subscribed ports

Scenario 5: Unidirectional Traffic

Some traffic is one-way only (device sends but never receives responses):

• Sensor devices that only transmit data
• Monitoring/logging endpoints
• Multicast sources without return traffic

For these devices:

• The bridge learns the source address normally
• Other devices cannot respond if they never send first
• May remain "unknown" and receive flooded traffic forever
• Static entries may be needed for optimization

Every forwarding database has a finite capacity. Understanding what happens when this limit is reached is crucial for network design and security.

Typical Forwarding Database Sizes

Table capacity varies dramatically by device class:

• Consumer switches: 1,000 - 8,000 entries
• Small business switches: 8,000 - 16,000 entries
• Enterprise access switches: 16,000 - 32,000 entries
• Enterprise distribution switches: 64,000 - 128,000 entries
• Data center switches: 128,000 - 512,000+ entries

These limits exist due to CAM hardware constraints and cost trade-offs.

What Happens During Table Overflow?

When the forwarding database is full and a new MAC address needs to be learned:

Strategy 1: Reject New Entry

The new address is simply not learned. Consequences:

• Traffic to/from this device continues to be flooded
• Network still functions, but less efficiently
• Bandwidth waste increases
• No visible error to users

Strategy 2: Replace Oldest Entry

Remove the entry with the oldest timestamp and add the new one:

• Ensures active devices remain in table
• Rarely-used entries are sacrificed
• Can cause temporary disruption if removed entry is later needed

Strategy 3: Replace Entry Based on Usage

More sophisticated: track how often each entry is used and replace the least-used entry:

• Better performance under certain traffic patterns
• More complex implementation
• Not commonly implemented in hardware

Monitoring Table Utilization

Network administrators should monitor MAC table usage:

switch# show mac address-table count

MAC Entries for all VLANs:
Dynamic Address Count:    12,847
Static Address Count:     142
Total MAC Addresses:      12,989
Total MAC Entries in Use: 12,989
Total MAC Addresses Available: 32,768
Percent Used: 39.6%

Alerts should trigger when utilization exceeds 70-80% to allow time for capacity planning or investigation of unusual MAC address growth.

Best Practice: Network Segmentation

The best way to manage MAC table capacity is to limit the size of Layer 2 domains:

• Use VLANs to segment broadcast domains
• Route between major network sections
• Each VLAN/segment has independent addressing
• Failures and attacks are contained to smaller scopes

Modern switches implement VLANs (Virtual LANs), which adds complexity to the learning process. A MAC address learned in one VLAN is independent of the same address in another VLAN.

Why VLANs Affect Learning

Consider a network where:

• VLAN 10 (Engineering) has Host A with MAC AA:11:22:33:44:55
• VLAN 20 (Accounting) has Host B with MAC AA:11:22:33:44:55 (same MAC, different VLAN)

In a VLAN-unaware bridge, these would conflict—the table could only store one location for this MAC. But in a VLAN-aware bridge:

• Entry 1: (AA:11:22:33:44:55, VLAN 10) → Port 1
• Entry 2: (AA:11:22:33:44:55, VLAN 20) → Port 5

These are completely independent entries. Frames in VLAN 10 destined for this MAC go to Port 1; frames in VLAN 20 with the same destination go to Port 5.

Shared VLAN Learning (SVL) vs. Independent VLAN Learning (IVL)

IEEE 802.1Q defines two learning modes:

Independent VLAN Learning (IVL)

Each VLAN has a completely separate forwarding database. A MAC address learned in one VLAN has no effect on lookups in other VLANs.

• Maximum isolation between VLANs
• Same MAC can map to different ports in different VLANs
• Higher memory consumption (separate table per VLAN)
• Standard behavior in most modern switches

Shared VLAN Learning (SVL)

All VLANs share a single forwarding database. If a MAC is learned in VLAN 10, it's used for forwarding in VLAN 20 as well.

• Lower memory usage
• Risk of misdirection if same MAC exists in multiple VLANs
• Rarely used in modern implementations
• Was more common in early VLAN-capable switches

The forwarding database can contain two types of entries: dynamic entries learned automatically, and static entries configured manually by administrators.

Dynamic Entries

Dynamic entries are the norm in most networks:

• Created automatically through the learning process
• Subject to aging (expire after a configurable timeout)
• Updated when MAC moves are detected
• Require no administrator intervention
• Form the vast majority of entries in typical networks

Static Entries

Static entries are manually configured and have different properties:

• Never age out (permanent until manually removed)
• Take precedence over dynamic entries
• Used for specific administrative purposes
• Require explicit configuration

Configuration Example

Creating a static entry on a Cisco switch:

switch(config)# mac address-table static aaaa.bbbb.cccc vlan 10 interface gigabitethernet0/1

This creates a permanent entry:

• MAC address AA:AA:BB:BB:CC:CC → GigabitEthernet0/1 in VLAN 10
• Entry will not age out
• Takes precedence over any dynamic learning

Static Entry for Filtering

Static entries can also be used to block traffic:

switch(config)# mac address-table static aaaa.bbbb.cccc vlan 10 drop

Any frame with this source MAC will be dropped, and frames destined for this MAC will be discarded rather than flooded.

While learning seems instantaneous, there are performance considerations that affect how quickly a network converges to optimal forwarding.

Learning Rate Limits

Switches may impose limits on how quickly new entries can be added:

Why Rate Limiting?

• Prevent CPU overload from processing many learning events
• Defend against MAC flooding attacks
• Ensure control plane remains responsive
• Protect hardware resources

Typical Limits

• Enterprise switches: 100-500 new MACs per second per port
• High-performance switches: 1,000+ new MACs per second per port
• Data center switches: 10,000+ new MACs per second total

These limits rarely impact legitimate traffic but provide protection against attacks and misbehaving devices.

Convergence Time After Events

Different network events cause different learning requirements:

Network Bootstrap

After a switch reboot, all entries must be relearned:

• Time to learn = f(number of active MACs, traffic patterns)
• For 1,000 active MACs with regular traffic: 5-30 seconds
• During this time, excessive flooding occurs

Topology Change

After STP topology change:

• Some or all entries may be flushed
• Bridges in changed portion must relearn
• Traffic temporarily flooded
• Recovery time: 1-15 seconds typically

Single Device Move

When one device moves:

• Old entry becomes stale (packets to old port fail)
• First packet from new location triggers update
• Subsequent traffic works normally
• Recovery time: 0-5 seconds (depends on when device transmits)

We've thoroughly explored how bridges build and maintain their forwarding databases. Let's consolidate the essential concepts:

What's Next: Forwarding vs. Filtering

Now that we understand how the forwarding database is built, the next page examines how it's used. We'll dive deep into the forwarding and filtering decisions—exactly how the bridge determines whether to send a frame out a specific port, discard it entirely, or flood it everywhere. This is where learning translates into action.