nerdexam
EC-Council

312-50V13 · Question #146

Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?

The correct answer is A. The switches will drop into hub mode if the ARP cache is successfully flooded.. When a switch's MAC address table is successfully flooded using tools like Macof, the switch often reverts to acting like a network hub by forwarding all unknown unicast traffic out of all ports.

Submitted by kevin_r· Mar 6, 2026Sniffing

Question

Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?

Options

  • AThe switches will drop into hub mode if the ARP cache is successfully flooded.
  • BIf the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to
  • CDepending on the switch manufacturer, the device will either delete every entry in its ARP cache
  • DThe switches will route all traffic to the broadcast address created collisions.

How the community answered

(24 responses)
  • A
    75% (18)
  • B
    4% (1)
  • C
    13% (3)
  • D
    8% (2)

Why each option

When a switch's MAC address table is successfully flooded using tools like Macof, the switch often reverts to acting like a network hub by forwarding all unknown unicast traffic out of all ports.

AThe switches will drop into hub mode if the ARP cache is successfully flooded.Correct

Macof floods a switch with random MAC addresses, filling its MAC address table. Once the table is full, the switch can no longer learn new MAC-to-port mappings and will flood subsequent unknown unicast frames out of all ports (except the ingress port), effectively operating as a hub.

BIf the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to

'Pix mode' is not a recognized operational mode for a network switch, and MAC flooding makes a switch *more* susceptible to attacks, not less.

CDepending on the switch manufacturer, the device will either delete every entry in its ARP cache

While some advanced switches have mitigation techniques, the immediate and primary effect of a successful MAC table flood on typical switches is table overflow and hub-like behavior, not the deletion of all entries.

DThe switches will route all traffic to the broadcast address created collisions.

Switches operate at Layer 2 (MAC addresses) and do not route (Layer 3) traffic; the behavior is flooding unknown unicast frames to all ports, not routing to a broadcast address, and while it can increase network traffic, it's not primarily about creating collisions.

Concept tested: MAC flooding attack and switch behavior

Source: https://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-series-xl-switches/24362-158.html

Topics

#MAC flooding#ARP cache poisoning#switch security

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice