Re: CAM TABLE AND VLANS????

jefforsi · ‎09-18-2002

How many CAM Table a swith has?

It has one CAM Table for each VLAN or one CAM Table for all VLANs?

If the switch has one CAM Table for all VLANs, if I configure a static arp-map entry on my computer to another computer that is on another vlan... so if I try to ping this computer?

I think: if the switch has one CAM Table for all VLANs, this test will be sucessfully...

steve.barlow · ‎09-18-2002

A switch has one cam table for all vlans. CAM table stores mac address, port and associated vlan parameters. Switches use a hash to place MACs into the CAM table. No it won't work. Why - 1) your PC knows the mac but that doesn't mean the switch will forward the frame to another vlan (as the cam table holds vlan info), requires a router 2) how would the PC return packets to you? What you know doesn't matter, it's what the switch knows.

Even if you filled the cam table up (mac flood) so that it would start flooding packets, those packets would be vlan specific (packets flooded only to own vlan) and only for traffic that doesn't have an existing CAM entry.

The method you are refering to is vlan hopping, and requires a trunk port (to prevent this disable trunking were possible and change the default native vlan of the trunk and shut unused ports).

To secure same vlan traffic, use private vlans and router acl in combo.

Hope that helps.

Steve

jefforsi · ‎09-18-2002

OK Steve,

your explain is very helpfull...

but I have been problems with vlans.... my network was using 2 catalyst 1900 with ISL trunk between them...

so I have been the following test...

Two computers are in the same vlan, so one computer ping sucessfully another computer... then, I change the vlan of one computer... so... the ping is timeout... but after some seconds.. the computer continues to reply pings....

so after the arp cache is pruned, the computer are not be able to communicate, but while the arp cache exists.. the computers (on different vlans) continues to comunicate ....

Do you have this test one time???

steve.barlow · ‎09-19-2002

This sounds very much like vlan hopping (http://www.sans.org/newlook/resources/IDFAQ/vlan.htm).

I assume the PCs are on different switches and cross the trunk. Ways to prevent this is to change the native vlan of the trunk to something other than the end users ports.

Steve

jefforsi · ‎09-19-2002

Hello Steve,

well, this document is very important... but I yet don't test it...

Thanks...

darrenj · ‎09-19-2002

Right, this is the deal (I think!).

Two computers are in the same VLAN, PC1 arps for the MAC address of PC2. PC2 responds with the MAC address and the switches now have an entry in the CAM table which says MAC address of PC1 is out of port xx, and MAC address of PC2 is out of port xx. PC1 sends a ping to PC2 MAC address and the switch forwards the frame because it knows the MAC address is out of port xx. Pings are successful.

Right, you then changed the VLAN of one of the PC's. But, when PC1 tries to ping PC2, it still knows the MAC address even though they are in seperate VLAN's. The switch maintains one big CAM table for all VLAN's and still knows that PC2 MAC address is out of port xx - so it forwards it and pings respond.

The only way to stop this is by clearing the ARP cache on just one of the PC's. By doing this, when PC1 wants to ping PC2, it doesn't know the MAC address (the arp cache was cleared). PC1 sends an ARP which the switch receives and because the ARP is a broadcast, it floods it to all ports int he SAME VLAN AS PC1. Therefore, PC2 in another VLAN, never recieves the ARP - therefore it cannot respond to it so PC1 never learns PC2 MAC address. This is why the pings time out.

Hope this helps?

Dazzler.

jefforsi · ‎09-19-2002

Hello Dazzler,

your explain is exactly that happened.... Did you have the same problem?

darrenj · ‎09-19-2002

I only have one switch to hand so I couldn't get the same setup as yourself. I can see how it could happen.