, , , , ,

Unlike hubs, switches regulate the flow of data between ports by creating instant networks that contain only the two endpoint devices communicating with each other at that moment in time. Switches accomplish this by forwarding data out specific ports based on the MAC address. Switches maintain MAC address tables, also known as content-addressable memory (CAM) lookup tables, to track the source MAC addresses associated with each switch port. These lookup tables are populated by an address-learning process on the switch.

It is important to note that data frames are sent by end systems, and their source and destination addresses are not changed throughout the switched domain. If a switch receives an incoming data frame and the destination MAC address is not in the table, the switch forwards the frame out all ports, except for the port on which it was received. When the destination node responds, the switch records the MAC address of the node in the address table from the frame source address field. Switches populate the MAC address table by recording the source MAC address of a frame, and associating that address with the port on which the frame is received.

In networks with multiple interconnected switches, the MAC address tables record multiple MAC addresses for the ports interconnecting switches. These MAC addresses reflect remote nodes or nodes that are connected to another switch within the switched domain.

The method used by switches to populate the MAC address table leads to a vulnerability known as MAC spoofing. Spoofing attacks occur when one host masquerades or poses as another to receive otherwise inaccessible data or to circumvent security configurations.


MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host. The attacking host then sends a frame throughout the network with the newly configured MAC address. When the switch receives the frame, it examines the source MAC address. The switch overwrites the current MAC address table entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined for the target host to the attacking host.


When the switch changes the MAC address table, the target host does not receive any traffic until it sends traffic. When the target host sends traffic, the switch receives and examines the frame, resulting in the MAC address table being rewritten once more, realigning the MAC address to the original port.

If you feel this article helped you to get some learning, please support by clicking below.