I'm trying to understand when a layer-2 bridge (switch) would flood an unknown unicast frame. My understanding is that whenever a device needs to send a unicast frame, it would use ARP before sending, in which case the switch would already have the MAC address of the destination due to it's ARP reply. This seems that there would never be a scenario where the switch would flood a unicast frame out all ports. My book lists this as a valid scenario. Am I missing something, or is this only possible in situations where ARP isn't used? Thanks.
ARP is a layer 3 protocol which maps IP addresses to MAC addresses. A layer-2 switch doesn't keep an ARP table. Instead, it passively learns the dynamic MAC addresses for each switch port (or they are statically assigned in some environments). If a MAC address isn't in its MAC address table, it forwards the packet to all ports.
At the place I used to work, once we had a server with a bad NIC driver. It had two teamed NICs, and somehow ended up using the MAC address of one of the individual NICs from the team. That MAC address wasn't in any MAC address tables, so it led to a unicast storm on the network until we tracked down the problem.
It happens when the sending station has the MAC address of the destination in its ARP cache, but the switch does not, for example, because it flushed its cache due to STP topology changes, or it aged out, or simply because it has just been powered on. Admittedly, not very often, but can nonetheless happen.
so what happens when the ARP target response is not seen by the bridge?
the bridge may have a momentary overload, or the path from the MAC back to the originator may not cross this particular bridge. this can happen if you have asymmetric paths through a LAN - a switched subnet, with 2 routers using HSRP where inbound traffic comes in thru 1 and outbound goes via the other is a common case (esp in conjunction with the timer mismatch below).
also a bridge MAC table is usually in hardware with a fixed size - too many learned entries and it has to ignore the ones that come along when the table is full, or purge an existing entry - a common attack to cause a switched lan to flood packets is to saturate the MAC tables in switches.
This seems that there would never
it seems less common now than when a typical switched LAN handled lots of protocols, mainly because IP is better behaved than some other protocol stacks.
however - aging can do it: default 802.1d aging timer is 5 minutes. default ARP timer on a cisco is 4 hours? So, plenty of time for the bridge MAC table to time out while an ARP cache is still valid.