cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7206
Views
20
Helpful
6
Replies

layer 2 switch, cam table full

sarahr202
Level 5
Level 5

Hi everybody

How does switch behave if its cam table is full?  For example  if we have a switch whose cam table at maximum can store say 5 mac addresses as shown below,what will switch do if it receives a frame with dest mac mac2?  will it flood the frame out of all ports except f1/2? or will it simply forward it out of f1/1?

mac1----f1/1

mac2---f1/2

mac3---f1/3

mac4---f1/4

mac 5--f1/5

thanks and have a great weekend.

3 Accepted Solutions

Accepted Solutions

Ivan Shirshin
Cisco Employee
Cisco Employee

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

View solution in original post

Peter Paluch
Cisco Employee
Cisco Employee

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

View solution in original post

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

View solution in original post

6 Replies 6

Ivan Shirshin
Cisco Employee
Cisco Employee

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

Does it still provide VLAN isolation or not ? Are the new frames flooded into the incoming vlan or across all vlans defined in the switch ?

Usually CAM overflow attack is presented as a way to overcome VLAN isolation.

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

Thank you for the answer

1-Do you mean here that the broadcast cast happens to the new sources? That is, if the destination is known in the cam table, it will also happen broadcast?

2- I saw in another answer to a similar question that this broadcast returns the request to all ports, including the sender port, is this true?

and thanks

Peter Paluch
Cisco Employee
Cisco Employee

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco