Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8616
Views
20
Helpful
6
Replies

layer 2 switch, cam table full

Go to solution
sarahr202
Level 5
Level 5

‎06-02-2012 12:24 PM - edited ‎03-07-2019 07:02 AM

Hi everybody

How does switch behave if its cam table is full?  For example  if we have a switch whose cam table at maximum can store say 5 mac addresses as shown below,what will switch do if it receives a frame with dest mac mac2?  will it flood the frame out of all ports except f1/2? or will it simply forward it out of f1/1?

mac1----f1/1

mac2---f1/2

mac3---f1/3

mac4---f1/4

mac 5--f1/5

thanks and have a great weekend.

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Ivan Shirshin
Cisco Employee
Cisco Employee

‎06-02-2012 01:17 PM

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

View solution in original post

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎06-02-2012 01:29 PM

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

View solution in original post

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Surya ARBY

‎06-03-2012 02:03 AM

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

View solution in original post

6 Replies 6

Go to solution
Ivan Shirshin
Cisco Employee
Cisco Employee

‎06-02-2012 01:17 PM

Hi,

If a CAM table is full, switch no longer learns MAC address and behaves as a hub for new addresses. In your case the entry is existing in a table, so it will forward it just as in regular switch operation from the corresponding port only (untill the tnry is expired).

Kind Regards,

Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

Go to solution
Surya ARBY
Level 4
Level 4
In response to Ivan Shirshin

‎06-03-2012 01:07 AM

Does it still provide VLAN isolation or not ? Are the new frames flooded into the incoming vlan or across all vlans defined in the switch ?

Usually CAM overflow attack is presented as a way to overcome VLAN isolation.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Surya ARBY

‎06-03-2012 02:03 AM

Hello Surya,

Theoretically, a CAM overflow should not result in the loss of VLAN isolation, as delivering a frame is based solely on the lookup of the destination MAC address in the CAM table. Be the CAM table full or not, it does not make a difference to the lookup - either the destination MAC is present in the table or not. The resulting behavior should therefore be the same as if the CAM was only partially filled and the destination MAC was/was not found. The VLAN isolation should not be therefore lost.

However, I understand that this is a theoretical explanation, and the real implementation of switches may differ. Therefore, if a similar situation can be an issue, it is worthy of testing the switch whether it loses the VLAN containment in periods of CAM overflow. No definitive guaranteed answer can be given here.

To my best knowledge, Catalyst switches should not suffer from VLAN containment loss.

Best regards,

Peter

Go to solution
Surya ARBY
Level 4
Level 4
In response to Peter Paluch

‎06-03-2012 02:07 AM

Thank you for the answer

0 Helpful

Go to solution
medosherif110
Level 1
Level 1
In response to Ivan Shirshin

‎12-08-2023 08:14 AM

1-Do you mean here that the broadcast cast happens to the new sources? That is, if the destination is known in the cam table, it will also happen broadcast?

2- I saw in another answer to a similar question that this broadcast returns the request to all ports, including the sender port, is this true?

and thanks

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎06-02-2012 01:29 PM

Hello Sarah and Ivan,

Please allow me to join and add a few points. There are always two aspects to the frame handling on a switch:

  1. Learning a MAC address using the source MAC address field
  2. Switching a frame using the destination MAC address field

If the CAM address table is full and a frame arrives, then with respect to learning a MAC address, two options obviously exist:

  1. Either the source MAC address is known, in which case the CAM address table does not need to be modified - at most, if the frame arrived through a different port, the CAM is updated but no new record will be added
  2. Or the source MAC address is unknown. This is a more interesting scenario. The exact behavior in this case depends on the implementation of the switch. Some switches may replace the oldest MAC address in the CAM table with the new source MAC address from the frame. Another switches will ignore the source MAC and will not learn it because there is no additional space in the CAM table. And yet some other switches will crash or otherwise behave crazily

With respect to delivering a frame, the fact that the CAM is full has absolutely no effect. Either the destination MAC address is present in the CAM table and then the frame will be sent via the appropriate port, or it is unknown, in which case the frame will be flooded out all remaining ports in the same VLAN except the ingress port.

Best regards,

Peter

Customers Also Viewed These Support Documents