Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

layer 2 switch, cam table full

Hi everybody

How does switch behave if its cam table is full?  For example  if we have a switch whose cam table at maximum can store say 5 mac addresses as shown below,what will switch do if it receives a frame with dest mac mac2?  will it flood the frame out of all ports except f1/2? or will it simply forward it out of f1/1?

mac1----f1/1

mac2---f1/2

mac3---f1/3

mac4---f1/4

mac 5--f1/5

thanks and have a great weekend.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

layer 2 switch, cam table full

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards, Ivan Shirshin **Please grade this post if you find it useful.
Cisco Employee

layer 2 switch, cam table full

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

Cisco Employee

layer 2 switch, cam table full

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

5 REPLIES
Cisco Employee

layer 2 switch, cam table full

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards, Ivan Shirshin **Please grade this post if you find it useful.
Silver

layer 2 switch, cam table full

Does it still provide VLAN isolation or not ? Are the new frames flooded into the incoming vlan or across all vlans defined in the switch ?

Usually CAM overflow attack is presented as a way to overcome VLAN isolation.

Cisco Employee

layer 2 switch, cam table full

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

Silver

layer 2 switch, cam table full

Thank you for the answer

Cisco Employee

layer 2 switch, cam table full

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

1789
Views
10
Helpful
5
Replies