CAM Table – In-Depth Explanation

1. What is a CAM Table?

CAM stands for Content Addressable Memory.
The CAM Table is a high-speed hardware memory in Ethernet switches, mapping MAC addresses to switch ports and VLANs.
Purpose: Enables ultra-fast lookups for Layer 2 frame forwarding—crucial for efficient switch performance.

2. Role in Network Switches

Layer 2 switches use the CAM table to make real-time forwarding decisions for Ethernet frames. The switch checks the destination MAC in the CAM table to know which port to use—preventing unnecessary flooding and maximizing performance.

3. Difference Between CAM Table and MAC Address Table

CAM Table	MAC Address Table
Hardware memory for fast lookup	Logical/CLI view for admins
Implemented using actual CAM chips	Displayed by "show mac address-table"
Focus on physical memory/lookup	Focus on logical data structure
Same underlying function as MAC table, but “CAM” highlights hardware aspect	Admin perspective (OS/CLI/monitoring)

Note: In practice, "CAM table" and "MAC address table" are used interchangeably. "CAM" focuses on the hardware lookup; "MAC table" is the software/CLI representation.

4. How CAM Works in Switches

CAM retrieves data by content, not by address (unlike RAM).
Switches perform parallel hardware searches, resulting in nanosecond-scale MAC lookups.
Example: Frame with destination MAC 00:11:22:33:44:55 arrives. CAM instantly finds the associated port in hardware.

5. CAM Table Structure and Entries

Field	Description
MAC Address	48-bit hardware address
Port	Switch interface (e.g., Gi0/1)
VLAN	VLAN ID (e.g., 10)
Type	Dynamic or Static

Example Entry:

MAC: 00:11:22:33:44:55 | Port: Gi0/2 | VLAN: 10 | Type: Dynamic

6. CAM Table Learning Process

Dynamic: Switch learns MACs from source addresses of incoming frames.
Static: Admins can manually assign MAC-to-port mappings.

Example:
Host A sends a frame from Gi0/1 (VLAN 20) with MAC AA-BB-CC-DD-EE-FF.
Switch adds: AA-BB-CC-DD-EE-FF | Gi0/1 | VLAN 20 | Dynamic

7. CAM Table Size and Limits

Switches have a finite CAM table size (e.g., 8,192 or 16,384 entries).
Overflow causes switch to flood unknown MACs—degrading network performance and creating security risks.

8. CAM Table Aging and Timeout

Aging Timer: Each dynamic entry ages out if no frames are seen from the MAC for a period (typically 300 seconds).
Static entries: Never age out and must be manually removed.

9. CAM Table Overflow and Security Implications

MAC Flooding Attack: Attacker floods the switch with frames from thousands of fake MACs, filling the CAM table.

Consequence: Switch starts flooding frames, allowing attacker to sniff traffic on the network.

Mitigations:
- Port Security: Limit the number of MACs per port.
- DHCP Snooping: Prevent rogue DHCP servers.
- Dynamic ARP Inspection: Prevent ARP spoofing.

switch(config-if)# switchport port-security maximum 2

10. Viewing CAM Table Entries

show mac address-table
show mac-address-table

Sample Output:

VLAN  MAC Address        Type     Ports
----  ---------------   -------  -----
 10   00-11-22-33-44-55 DYNAMIC  Gi0/2
 20   AA-BB-CC-DD-EE-FF STATIC   Gi0/1

11. CAM Table vs. TCAM (Ternary CAM)

CAM Table	TCAM Table
Matches binary values only (0/1)	Matches 0, 1, or "don't care" (X)
Used for MAC address lookups (Layer 2)	Used for ACLs, QoS, Layer 2/3/4 lookups
Simpler and faster for fixed field matching	More flexible for advanced searches (e.g., IP+port+protocol)

Example: CAM: Exact match for MAC forwarding.
TCAM: Match on IP, protocol, and port for an access list.

12. CAM Table Role in Frame Forwarding

When a frame arrives: Switch looks up destination MAC in CAM table.
If found: Forwards to associated port.
If not found: Floods to all ports in VLAN except source port.

13. Troubleshooting CAM Table Issues

Issue	Possible Cause	Resolution
CAM Table Overflow	Attack or too many devices	Implement port security; monitor logs
MAC Flapping	Device moving or network loop	Check cabling, spanning-tree, port security
Stale Entries	Device offline, aging timer too high	Adjust aging time, remove static entries

Use show mac address-table to identify MACs that are flapping, too many dynamic entries, or missing static MACs.

14. Example Scenario

Two devices, A and B, connected to Gi0/1 and Gi0/2 in VLAN 10:
Device A sends a frame with source MAC 00-11-22-33-44-AA → Switch learns: 00-11-22-33-44-AA | Gi0/1 | VLAN 10 | Dynamic
Device B replies, switch learns: 00-11-22-33-44-BB | Gi0/2 | VLAN 10 | Dynamic
After this, frames destined for either device are forwarded directly to their port, not flooded.
But, if an attacker floods the switch with fake MACs, CAM table may overflow—leading to network-wide flooding and exposure of sensitive data.

15. When and Where to Use CAM Table Knowledge

Switch operation: Essential for understanding L2 forwarding.
Security: Mitigate MAC flooding attacks and unauthorized access.
Troubleshooting: Diagnose connectivity, loops, or table overflow.
Optimization: Manage table size in large environments.

📑 Summary Table

Aspect	CAM Table Role or Value
Purpose	High-speed MAC-to-port lookup in hardware
Learned entries	Dynamically or statically
Table size	Limited by switch hardware
Aging	Removes inactive dynamic entries
Security risks	Flooding attacks, MAC flapping
Mitigation	Port security, DHCP snooping
Troubleshooting	show mac address-table, check for overflows

CAM Table Quiz

1. What does CAM stand for in networking switches?

A. Content Address Memory B. Content Addressable Memory C. Computer Address Memory D. Control Access Memory

Correct answer is B. CAM stands for Content Addressable Memory, a specialized memory used for fast MAC address lookups in switches.

2. What is the primary function of a CAM Table in a switch?

A. Map MAC addresses to physical switch ports and VLANs for fast frame forwarding B. Manage IP routing tables C. Store IP addresses of connected devices D. Control power to switch ports

Correct answer is A. The CAM Table maps MAC addresses to ports and VLANs for efficient Layer 2 frame forwarding.

3. How does CAM memory differ from RAM?

A. CAM retrieves data by address, RAM by content B. Both are identical in function C. CAM is slower than RAM D. CAM retrieves addresses by content, RAM retrieves data by address

Correct answer is D. CAM retrieves addresses based on content (e.g., MAC addresses), unlike RAM which retrieves data by a specified address.

4. What happens when a frame arrives with a destination MAC address not in the CAM Table?

A. Frame is dropped B. Frame is sent to the default gateway C. Frame is flooded out all ports in the VLAN except the source port D. Switch sends an ARP request for the MAC

Correct answer is C. The switch floods the frame to all ports in the VLAN to find the destination if the MAC is unknown.

5. What is the default aging timer value for dynamically learned CAM table entries?

A. Approximately 300 seconds (5 minutes) B. 60 seconds C. 120 seconds D. 600 seconds (10 minutes)

Correct answer is A. Dynamically learned MAC addresses expire after about 300 seconds of inactivity to keep the table current.

6. What is a potential consequence of CAM Table overflow?

A. Switch disables all ports B. Switch floods all incoming frames to every port, causing security risks and network slowdown C. Switch automatically upgrades firmware D. Switch blocks ARP traffic

Correct answer is B. Overflow causes the switch to flood traffic to all ports, allowing attackers to sniff network data.

7. How does port security mitigate CAM Table overflow attacks?

A. Disables unused ports B. Filters DHCP traffic C. Blocks all unknown MAC addresses D. Limits the number of MAC addresses learned per port and can trigger actions on violation

Correct answer is D. Port security restricts MAC addresses per port to prevent flooding and potential attacks.

8. Which command on a Cisco switch displays the CAM table entries?

A. show ip route B. show interfaces status C. show mac address-table D. show running-config

Correct answer is C. The "show mac address-table" command lists MAC addresses and their associated ports and VLANs.

9. What is the benefit of the "sticky" MAC address feature?

A. Learns MAC addresses dynamically and converts them to static entries B. Automatically removes MAC addresses after a timer expires C. Blocks unknown MAC addresses D. Allows unlimited MAC addresses per port

Correct answer is A. Sticky MAC learns addresses dynamically and saves them as static entries, improving security and persistence.

10. How are MAC addresses learned and propagated across multiple switches connected by VLAN trunks?

A. MAC addresses are only local to each switch and not shared B. Learned dynamically and shared across switches via trunk ports C. Only static MAC addresses are propagated across switches D. MAC addresses are shared using routing protocols

Correct answer is B. Switches share learned MAC addresses dynamically through VLAN trunk links for proper forwarding.

← Back to Home