Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Unknown Unicast

Training Camp • Cybersecurity Glossary

What is Unknown Unicast?

A unicast frame whose destination MAC is not in the switch's CAM table, causing the switch to flood it out all ports except the source.

Glossary > Network Security > Unknown Unicast

Unknown Unicast — A unicast frame whose destination MAC is not in the switch's CAM table

Understanding Unknown Unicast

An unknown unicast is a unicast frame whose destination MAC address is not present in the switch's MAC address (CAM) table. Because the switch does not know which port leads to the destination, it floods the frame out every port in the VLAN except the one it arrived on, behaving like a broadcast until it learns the correct location.

This behavior follows from how transparent bridging works. A switch learns source MAC addresses as frames arrive, building its CAM table. When a frame's destination is already known, it is forwarded only to the correct port. When it is unknown, perhaps because the destination has not yet transmitted, its entry aged out, or the table is full, the switch falls back to flooding so the frame can still reach the host. Once the destination replies, the switch learns its MAC and future frames are forwarded normally.

Unknown unicast flooding matters for both performance and security. Excessive flooding wastes bandwidth and exposes traffic that should have been point-to-point to every device in the VLAN, where an attacker on another port could sniff it. Attackers exploit this with MAC flooding (CAM table overflow) attacks: by filling the table with bogus addresses, they force the switch to flood legitimate traffic, effectively turning the switch into a hub for eavesdropping. Controls include port security to limit MAC addresses per port and unknown-unicast storm control.

For example, an attacker connected to an access switch runs a tool like macof to flood thousands of random source MAC addresses. The CAM table fills, legitimate entries can no longer be stored, and the switch begins flooding normal user traffic as unknown unicast out all ports. The attacker's port now receives copies of frames meant for other hosts, enabling credential and data capture. Enabling port security to cap MAC addresses per port stops the overflow and prevents the forced flooding.

Learn More About Unknown Unicast:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →