CAM Table – MAC Address Table Explained

1. What Is a CAM Table?

CAM stands for Content Addressable Memory. The CAM table is a specialised hardware memory structure inside every Ethernet switch that maps MAC addresses to switch ports and VLANs. It is the core data structure that enables a switch to make intelligent, per-frame forwarding decisions at wire speed — in nanoseconds.

Unlike conventional RAM — which stores data at a specific address and retrieves it by specifying that address — CAM memory works in reverse: you provide the content (the MAC address you are searching for) and the hardware instantly returns the associated data (the port number). This "search by content" capability is what enables parallel hardware lookups and makes Layer 2 switching so fast.

CAM table vs. MAC address table: In practice, these terms are used interchangeably. "CAM table" emphasises the underlying hardware mechanism (the Content Addressable Memory chip). "MAC address table" is the software/CLI representation that administrators interact with via show mac address-table. Both refer to the same data.

Related pages: MAC Addresses Explained | Network Switches | Network Bridges | Frame Forwarding | VLANs | Port Security Violation Modes | show mac address-table Command | Sticky MAC | MAC Address Table Management | Port Security & Sticky MAC

2. CAM vs. RAM — How Content Addressable Memory Works

Understanding why CAM is used instead of ordinary RAM helps explain how switches achieve nanosecond forwarding decisions.

Property RAM (Random Access Memory) CAM (Content Addressable Memory)
How you search Provide an address → get the stored data Provide the content/data → get the matching address or result
Search method Sequential or indexed lookup — one location at a time Parallel hardware search — all entries checked simultaneously
Speed Microseconds for a software search of a large table Nanoseconds — hardware does all comparisons at once
Use in switches Used for software processing (IOS code, packet buffers) Used for MAC address lookup table — every arriving frame triggers a CAM search
Cost and power Cheap and low power per bit Expensive and power-hungry per bit — reason CAM tables have finite size
Why parallel search matters: A 48-port Gigabit switch may need to make forwarding decisions for millions of frames per second. If the switch had to search its 8,000-entry MAC table sequentially for each frame, it could never keep up. CAM hardware checks all 8,000 entries simultaneously in a single clock cycle — enabling true wire-speed forwarding.

3. CAM Table Structure — What Each Entry Contains

Field Description Example Value
MAC Address The 48-bit (6-byte) hardware address of the device 0011.2233.4455
VLAN ID The VLAN the MAC address was learned on — crucial for VLAN isolation 10
Port The switch interface the device is connected to GigabitEthernet0/2
Type How the entry was created: DYNAMIC (auto-learned) or STATIC (manually configured) DYNAMIC
Age (Cisco IOS) Minutes since the entry was last refreshed by incoming traffic from this MAC 2 (mins)

Annotated show mac address-table Output

Switch# show mac address-table

          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0011.2233.4455    DYNAMIC     Gi0/2    ← PC on VLAN 10, learned 2 min ago
  10    aabb.ccdd.eeff    STATIC      Gi0/1    ← Server — manually pinned to port
  20    1122.3344.5566    DYNAMIC     Gi0/3    ← PC on VLAN 20
   1    ffff.ffff.ffff    STATIC      CPU      ← Broadcast address handled by CPU

Total Mac Addresses for this criterion: 4
VLAN scoping: The VLAN field is critical — the same MAC address can appear in the CAM table under different VLAN entries if a device is reachable through different VLANs (e.g., via trunk ports). The switch always considers both MAC and VLAN when making a forwarding decision.

4. How the Switch Learns MAC Addresses — Step by Step

MAC learning is entirely automatic and requires no administrator configuration. The switch learns from the source MAC address of every frame it receives — not the destination.

Complete Frame Forwarding and Learning Walkthrough

  Switch with 4 ports: Gi0/1 (PC-A), Gi0/2 (PC-B), Gi0/3 (PC-C), Gi0/4 (unused)
  CAM table starts empty. All devices on VLAN 10.

  ── Event 1: PC-A sends a frame to PC-B ──────────────────────────────
  Frame arrives on Gi0/1:
    Source MAC:      AA:AA:AA:AA:AA:AA
    Destination MAC: BB:BB:BB:BB:BB:BB

  Switch action:
  1. Learns source MAC: adds  AA:AA:AA:AA:AA:AA | VLAN 10 | Gi0/1 | DYNAMIC
  2. Looks up destination BB:BB:BB:BB:BB:BB → NOT IN TABLE
  3. Floods frame out Gi0/2, Gi0/3, Gi0/4 (all ports except source Gi0/1)

  CAM Table:  AA:AA | Gi0/1 | VLAN 10

  ── Event 2: PC-B replies to PC-A ────────────────────────────────────
  Frame arrives on Gi0/2:
    Source MAC:      BB:BB:BB:BB:BB:BB
    Destination MAC: AA:AA:AA:AA:AA:AA

  Switch action:
  1. Learns source MAC: adds  BB:BB:BB:BB:BB:BB | VLAN 10 | Gi0/2 | DYNAMIC
  2. Looks up destination AA:AA:AA:AA:AA:AA → FOUND on Gi0/1
  3. Forwards frame ONLY out Gi0/1 (unicast, no flooding)

  CAM Table:  AA:AA | Gi0/1 | VLAN 10
              BB:BB | Gi0/2 | VLAN 10

  ── Event 3: PC-A sends to PC-C ──────────────────────────────────────
  Destination CC:CC:CC:CC:CC:CC not in table → Floods out Gi0/2, Gi0/3, Gi0/4
  PC-C replies → Switch learns CC:CC → Gi0/3

  CAM Table:  AA:AA | Gi0/1 | VLAN 10
              BB:BB | Gi0/2 | VLAN 10
              CC:CC | Gi0/3 | VLAN 10

  Now all future frames between A, B, C are forwarded directly — no flooding.

Dynamic vs. Static Entries

Property Dynamic Entry Static Entry
How created Automatically when the switch receives a frame from that MAC Manually configured by an administrator
Aging Expires after inactivity (default 300 seconds / 5 minutes) Never ages out — persists until manually removed or reboot
Survives reboot No — lost on switch reboot (re-learned from traffic) Only if saved to startup-config; otherwise lost on reboot
Security Can be poisoned by MAC spoofing — attackers can send frames with a fake source MAC Cannot be overwritten by incoming traffic — immune to MAC spoofing for that entry
Use case All normal end-device communication Critical infrastructure — servers, routers, firewalls that must always be on a specific port

Configuring a Static MAC Entry

! Pin server MAC to a specific port — cannot be moved or spoofed
Switch(config)# mac address-table static aabb.ccdd.eeff vlan 10 interface GigabitEthernet0/1

! Verify
Switch# show mac address-table static

5. CAM Table Aging Timer

Every dynamic entry in the CAM table has an aging timer. Each time a frame is received from a MAC address, that entry's timer resets to zero. If no frame is received from that MAC within the aging period, the entry is deleted — keeping the table current and freeing space for new entries.

  • Default aging time: 300 seconds (5 minutes) on Cisco switches.
  • Too short: Entries expire too quickly — the switch frequently floods traffic that could be forwarded directly, increasing unnecessary broadcast traffic.
  • Too long: Stale entries occupy CAM space — a device that moved to a different port keeps being sent to the old port until the entry expires.

Configuring and Verifying the Aging Timer

! View current aging timer (default 300 seconds)
Switch# show mac address-table aging-time

! Change aging time globally (in seconds, 0 = disable aging)
Switch(config)# mac address-table aging-time 600

! Change aging time per VLAN
Switch(config)# mac address-table aging-time 120 vlan 10

! Clear all dynamic entries immediately (forces re-learning)
Switch# clear mac address-table dynamic

! Clear entries for a specific VLAN
Switch# clear mac address-table dynamic vlan 10

! Clear entry for a specific MAC address
Switch# clear mac address-table dynamic address aabb.ccdd.eeff
When to clear the CAM table: After a device is moved to a different switch port — clear its dynamic entry so the switch immediately re-learns its correct location rather than forwarding to the old port until the aging timer expires. This is especially important for servers and printers where brief connectivity loss matters.

6. CAM Table Size and Limits

Every switch has a finite CAM table capacity — determined by the amount of CAM hardware installed on the ASIC. CAM is expensive and power-hungry, so manufacturers balance capacity against cost.

Switch Category Typical CAM Table Size Example Models
SOHO / Unmanaged 1,000 – 4,000 entries Netgear GS308, TP-Link TL-SG108
SMB Managed 8,000 – 16,000 entries Cisco SG350, Cisco 2960
Enterprise Access 16,000 – 32,000 entries Cisco Catalyst 3750, 3850, 9200
Enterprise Core/Distribution 128,000 – 1,000,000+ entries Cisco Catalyst 9500, Nexus 9000
Practical impact: In most enterprise access layer deployments, CAM table overflow from legitimate device counts is rare — a 48-port switch with 8,000 entries has 167 entries per port on average. The risk comes from MAC flooding attacks, where an attacker deliberately fills the table with fake entries (see Section 7).

Checking CAM Table Utilisation

! Show total entries and current count
Switch# show mac address-table count

Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count  :  156
Static  Address Count  :    3
Total Mac Addresses    :  159

Total Mac Address Space Available: 7933

7. MAC Flooding Attack — CAM Table Overflow

A MAC flooding attack (also called a CAM table overflow attack) is a Layer 2 attack in which an attacker deliberately sends thousands of Ethernet frames with randomly generated, fake source MAC addresses. The switch dutifully learns each one, filling the CAM table until it reaches capacity.

Attack Progression

  Normal operation:
  ┌──────────────────────────────────────────────────┐
  │ CAM Table (8,000 entries, 156 used)              │
  │ PC-A → Gi0/1 | PC-B → Gi0/2 | Server → Gi0/3   │
  │ Switch forwards frames directly — no flooding    │
  └──────────────────────────────────────────────────┘

  Attacker connects to Gi0/4 and runs macof / scapy:
  Sends 8,000+ frames with fake source MACs per second
  ↓
  ┌──────────────────────────────────────────────────┐
  │ CAM Table — FULL (8,000/8,000 entries)           │
  │ Fake MACs: 0001.0001.0001 → Gi0/4               │
  │            0001.0001.0002 → Gi0/4               │
  │            ... (8,000 fake entries)              │
  │ Legitimate MACs: EVICTED to make room            │
  └──────────────────────────────────────────────────┘
  ↓
  Switch enters "fail-open" mode:
  Every frame with an unknown destination is FLOODED to all ports
  ↓
  Attacker's port (Gi0/4) receives ALL traffic — including:
  • PC-A ↔ Server communications
  • Credentials, files, emails in plaintext
  → MAN-IN-THE-MIDDLE / PACKET SNIFFING attack
Fail-open vs. fail-closed: Most switches fail open — when the CAM table overflows, they flood all unknown traffic rather than blocking it. This prioritises availability (network keeps working) but sacrifices confidentiality. Some enterprise switches can be configured to fail closed — dropping all traffic when the table is full — but this causes an outage.

8. Port Security — Defending Against CAM Overflow

Port security is the primary Cisco IOS defence against MAC flooding attacks. It limits the number of MAC addresses that can be learned on a single switch port and defines what happens when that limit is exceeded.

Port Security Configuration

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

! Enable port security
Switch(config-if)# switchport port-security

! Set maximum allowed MACs (default is 1)
Switch(config-if)# switchport port-security maximum 2

! Define the violation action (shutdown is default)
Switch(config-if)# switchport port-security violation shutdown

! Verify
Switch# show port-security interface GigabitEthernet0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0011.2233.4455:10
Security Violation Count   : 0

Port Security Violation Modes — see Violation Modes

Violation Mode What Happens Syslog Alert Port Status Counter Increments
Shutdown (default) Port placed in err-disabled state — all traffic stopped Yes err-disabled Yes
Restrict Violating frames dropped; port stays up for allowed MACs Yes Up Yes
Protect Violating frames silently dropped; port stays up No Up No
Recover from err-disabled port: 
! Manual recovery — shut down then bring back up
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

! Automatic recovery (after a timer)
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300

See: Port Security & Sticky MAC (Step-by-Step)

9. Sticky MAC — Dynamic-to-Static Conversion

Sticky MAC (also called sticky secure MAC) is a port security feature that combines the convenience of dynamic learning with the persistence of static entries. When enabled, the switch automatically learns MAC addresses dynamically but immediately converts them to static-style entries that persist across reboots (when saved to startup-config) and cannot be overwritten by traffic from a different device.

Sticky MAC Configuration

! Enable port security with sticky learning
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown

! After a device connects, verify sticky entries were learned
Switch# show port-security address
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)
----    -----------       ----                          -----   -------------
  10    0011.2233.4455    SecureSticky                  Gi0/1        -

! Save to startup-config to survive reboots
Switch# write memory
Ideal use case: A locked-down desktop environment where each port should only ever connect to one specific workstation. Enable sticky MAC with maximum 1, violation shutdown. When the PC first connects, its MAC is sticky-learned and saved. If anyone unplugs the PC and connects a different device (including an attacker's laptop), the port immediately err-disables — alerting the security team via syslog.

See: Sticky MAC Explained | Port Security & Sticky MAC

10. MAC Flapping — Detection and Causes

MAC flapping occurs when the same MAC address is learned on multiple different ports in rapid succession. The switch sees the same source MAC arriving first on Port A, then on Port B, then back on Port A — it keeps updating the CAM entry, causing the entry to "flap" between ports.

Common Causes of MAC Flapping

Cause Explanation Diagnosis
Layer 2 loop (STP failure) A redundant path without STP protection causes frames to circulate — switch sees the same source MAC on multiple ports as frames loop around Check STP topology; look for missing or blocked STP on the redundant link
MAC spoofing attack Attacker sends frames using a victim's MAC address from a different port — impersonating the victim Security alert: two ports claiming same MAC; investigate the new port
VM migration (live migration) A virtual machine moves from one physical host to another — its MAC appears on a new uplink port. Expected and normal in virtualised environments Correlate with VM management events; expected during scheduled migrations
Misconfigured EtherChannel An EtherChannel bundle is broken — one physical link is active but bundle negotiation is failing, causing traffic to appear on individual links alternately Check show etherchannel summary for bundle status

Detecting MAC Flapping

! Syslog message generated when MAC flapping is detected:
%MAC_MOVE-SP-4-NOTIF: Host 0011.2233.4455 in vlan 10 is flapping
  between port Gi0/1 and port Gi0/2

! Check current CAM table for the suspected MAC
Switch# show mac address-table address 0011.2233.4455

! Show MAC move notifications (if configured)
Switch# show mac address-table notification mac-move

11. CAM Table vs. TCAM — The Hardware Distinction

Modern switches contain both CAM and TCAM (Ternary Content Addressable Memory). Understanding the difference is useful for the CCNA exam and for understanding why ACLs and QoS are handled separately from MAC forwarding.

Aspect CAM (Binary CAM) TCAM (Ternary CAM)
Match values Binary: 0 or 1 only — exact match required Ternary: 0, 1, or X (don't care) — supports wildcard matching
Primary use Layer 2 MAC address lookups ACLs, QoS, Layer 3 routing table (LPM), Layer 4 port matching
Match type Exact match only (e.g., exact MAC address) Partial/wildcard match (e.g., IP prefix with subnet mask, ACL wildcard)
Example lookup "Is MAC 0011.2233.4455 in the table?" "Does this IP match any ACE that says permit 10.0.0.0/8?"
Cost per entry Less expensive More expensive — "don't care" bit requires extra hardware per bit
Analogy: CAM is like a phone book that only works if you know the exact name. TCAM is like a search engine that works with partial names or wildcards — "all names starting with 10.0.*.*".

12. Cisco IOS Commands — Complete Reference

Command What It Does
show mac address-table Display all CAM table entries — MAC, VLAN, type, port
show mac address-table dynamic Show only dynamically learned entries
show mac address-table static Show only statically configured entries
show mac address-table vlan 10 Filter entries for a specific VLAN
show mac address-table interface Gi0/1 Show MACs learned on a specific port
show mac address-table count Show total entry count, usage, and available space
show mac address-table aging-time Show current aging timer value
clear mac address-table dynamic Flush all dynamic entries — switch re-learns from traffic
mac address-table aging-time 600 Change aging time to 600 seconds globally
mac address-table static aabb.ccdd.eeff vlan 10 int Gi0/1 Manually pin a MAC address to a specific port and VLAN
show port-security Summary of port security on all interfaces
show port-security interface Gi0/1 Detailed port security status for a specific port
show port-security address Show all secure MAC addresses (static and sticky)

13. Troubleshooting CAM Table Issues

Symptom Likely Cause Diagnosis & Fix
Traffic flooding to all ports continuously CAM table overflow (MAC flooding attack or too many devices) show mac address-table count — if near capacity, enable port security; investigate connected devices for attack tools
Syslog: MAC flapping between ports Layer 2 loop, MAC spoofing, or VM live migration Check STP with show spanning-tree; verify EtherChannel with show etherchannel summary; if attack suspected, check the new port
Device unreachable after being moved to a new port Stale CAM entry still points to old port Wait for aging timer (up to 300s) or run clear mac address-table dynamic address <MAC>
Port in err-disabled state Port security violation — unauthorised device detected Identify the connected device; if authorised, shut/no shut the port or configure auto-recovery with errdisable recovery
Device connects but cannot communicate Wrong VLAN, or MAC learned on wrong port (e.g., after cable swap) show mac address-table interface <port> — verify MAC and VLAN match expected values

14. Common Misconceptions About the CAM Table

  • "The CAM table stores IP addresses."
    The CAM table stores only MAC addresses, VLANs, and ports. It operates entirely at Layer 2 — no IP addresses are involved. IP-to-MAC mapping is the ARP table's job (on hosts) or the switch's DHCP Snooping binding table.
  • "MAC flooding only causes slow performance."
    MAC flooding is primarily a security attack, not a performance attack. When the CAM table overflows and the switch floods all traffic, every device on the segment can see every frame — enabling passive sniffing of sensitive data including credentials transmitted in plaintext (Telnet, HTTP, FTP).
  • "Static CAM entries are automatically saved."
    Static MAC entries added with mac address-table static exist only in running-config and are lost on reboot unless you run write memory. The same applies to sticky MAC entries.
  • "Clearing the CAM table disconnects active TCP sessions."
    Clearing dynamic CAM entries does not drop TCP connections. On the next frame, the switch simply floods (unknown destination) while re-learning the MAC — the re-learning happens within milliseconds and active sessions continue uninterrupted.
  • "The CAM table and routing table serve the same purpose."
    The CAM table is a Layer 2 structure mapping MAC addresses to ports for intra-VLAN frame forwarding. The routing table (RIB) is a Layer 3 structure mapping IP prefixes to next-hop addresses for inter-network packet forwarding. They are completely separate data structures used at different OSI layers.

15. Key Points & Exam Tips

  • CAM = Content Addressable Memory — searched by content (MAC address), returns the associated port. Parallel hardware lookup — nanosecond speed.
  • The CAM table stores: MAC address, VLAN, port, type (dynamic/static).
  • Switches learn from source MAC addresses — not destination MACs.
  • Unknown unicast destination → flood all ports in VLAN except source port.
  • Default aging timer: 300 seconds (5 minutes). Static entries never age out.
  • MAC flooding attack fills the CAM table with fake MACs → switch floods all traffic → attacker can sniff the network. Mitigated with port security.
  • Port security violation modes: Shutdown (err-disable), Restrict (drop + log), Protect (silent drop). Shutdown is the default.
  • Sticky MAC: dynamically learned but treated as static — saved to running-config, persists across reboots if written to startup-config.
  • MAC flapping: same MAC seen on multiple ports — indicates a loop, spoofing, or VM migration. Generates syslog alerts.
  • TCAM vs CAM: TCAM supports wildcard (don't care) matching — used for ACLs, QoS, and routing table lookups. CAM is exact-match only — used for MAC lookups.
  • Key commands: show mac address-table, clear mac address-table dynamic, show port-security.

Related pages: MAC Addresses | Network Switches | Network Bridges | Frame Forwarding | VLANs | STP Overview | Port Security Violation Modes | show mac address-table Command | Sticky MAC | ARP & arp -a | MAC Address Table Management | Port Security & Sticky MAC | DHCP Snooping & DAI

16. CAM Table Quiz

1. A switch receives a frame on port Gi0/3 with source MAC AA:BB:CC:DD:EE:FF and destination MAC 00:11:22:33:44:55. The destination is already in the CAM table mapped to Gi0/1. The source MAC is NOT in the CAM table. What are the two things the switch does?

Correct answer is C. The switch always performs two independent operations: (1) it learns from the source MAC address by adding AA:BB:CC:DD:EE:FF mapped to the arrival port Gi0/3, and (2) it looks up the destination MAC 00:11:22:33:44:55 — since it is already in the table mapped to Gi0/1, the frame is forwarded directly and only to Gi0/1. Source learning always occurs regardless of whether the destination is known.

2. An attacker connects a laptop to a switch port and uses a tool to send 50,000 frames per second with randomly generated source MAC addresses. After 30 seconds, legitimate users report their traffic is visible on the attacker's packet capture. Why?

Correct answer is D. This is a MAC flooding (CAM table overflow) attack. The attacker sends frames with thousands of fake source MACs, filling the CAM table. Once full, legitimate MACs are evicted to make room. When frames destined for those legitimate MACs arrive, the switch cannot find them in the CAM table and falls back to flooding — sending every frame to all ports, including the attacker's. The attacker can then passively capture all traffic on the segment.

3. Port security is configured on Gi0/2 with maximum 1 MAC and violation mode "restrict." A second device is connected to the same port. What happens?

Correct answer is B. In "restrict" mode, frames from unauthorised MACs are dropped, a syslog alert is generated, and the violation counter increments — but the port stays up and the first (authorised) device continues to communicate normally. This differs from "shutdown" (port err-disables, all traffic stops) and "protect" (frames silently dropped, no log, no counter increment). Restrict gives visibility into violations without causing an outage.

4. A network engineer needs the MAC address of a desktop PC to remain pinned to port Gi0/5 permanently — surviving reboots and immune to MAC spoofing — without having to type the MAC address manually. Which feature accomplishes this?

Correct answer is A. Sticky MAC (switchport port-security mac-address sticky) dynamically learns the first MAC address that connects to the port and immediately converts it to a secure static entry (visible as "SecureSticky" in show port-security address). After running write memory, these entries survive reboots. If a different device tries to connect, the port security violation action triggers. No manual MAC entry is required — the admin just enables the feature and lets the first legitimate device connect.

5. The syslog on a core switch logs the following repeatedly:
%MAC_MOVE-SP-4-NOTIF: Host 0050.56ab.1234 in vlan 20 is flapping between port Gi1/0/12 and port Gi1/0/36
What are the two most likely causes to investigate?

Correct answer is C. MAC flapping — the same MAC appearing on different ports — has two primary causes: (1) A Layer 2 loop where frames circulate and appear on multiple ports — check show spanning-tree vlan 20 for topology issues on the path between Gi1/0/12 and Gi1/0/36. (2) A MAC spoofing attack — a device on Gi1/0/36 is sending frames using MAC 0050.56ab.1234 (which legitimately belongs to a device on Gi1/0/12) to intercept traffic. VM live migration can also cause this but is expected and intermittent rather than continuous flapping.

6. Why does TCAM (Ternary CAM) support ACL and routing table lookups while binary CAM cannot?

Correct answer is D. Binary CAM only matches exact values (0 or 1 per bit) — perfect for exact MAC address lookups but useless for anything requiring partial matches. TCAM adds a third state: "don't care" (X) — a bit marked X matches both 0 and 1. This enables: IP routing (match a /24 prefix where only the first 24 bits matter), ACLs (match 10.0.0.0/8 meaning first 8 bits = 10, rest don't care), and QoS marking (match DSCP values). Both CAM and TCAM use parallel hardware search — TCAM is not software-based.

7. A server is moved from Gi0/10 to Gi0/15 on the same switch. Immediately after the move, some clients can reach the server but others cannot — then all clients can reach it about 5 minutes later. What is the most likely explanation?

Correct answer is B. The switch's CAM table still has the server's MAC mapped to Gi0/10 (the old port). Frames destined for the server are forwarded to Gi0/10 — but nothing is connected there — and are silently discarded. Once the server sends its first frame from Gi0/15 (or the 300-second aging timer expires), the CAM entry is updated to Gi0/15 and all clients reach the server normally. The immediate fix is: clear mac address-table dynamic address <server-MAC> — this forces re-learning instantly without waiting for the timer.

8. Port security is enabled with sticky MAC on Gi0/7, maximum 1, violation shutdown. The configuration is saved. The switch reboots. Which statement is correct?

Correct answer is A. Sticky MAC entries, when the configuration is saved with write memory, are written to the startup-config as switchport port-security mac-address sticky <MAC> entries. On reboot, the startup-config is loaded and the sticky MAC entry is restored — the authorised device can reconnect immediately. If the config is NOT saved before reboot, the sticky entry is lost and the first device to connect (which may not be the authorised one) claims the secure port. This is why write memory after enabling sticky MAC is a critical best practice step.

9. A security audit finds that a switch has 7,980 CAM entries out of 8,000 capacity, all of them dynamic. The switch has only 48 ports and each port connects to a single PC. What does this anomaly most likely indicate?

Correct answer is C. With 48 ports each connecting a single PC, the expected CAM table size is approximately 48–50 entries (one per PC, plus switches and gateway). Having 7,980 entries — nearly the full capacity — when only 48 devices are connected is a strong indicator of a MAC flooding attack. An attacker's tool (such as macof) can generate thousands of fake source MACs per second. Run show mac address-table count to see the breakdown, identify the port with the most entries using show mac address-table interface, and enable port security to limit entries per port.

10. A switch engineer wants to prevent a specific port from ever learning more than 3 MAC addresses AND ensure those addresses are retained after a maintenance reboot without needing to manually re-enter them. Which combination of commands achieves this?

Correct answer is B. The full solution requires three steps: (1) switchport port-security maximum 3 limits the port to 3 MACs, (2) switchport port-security mac-address sticky converts dynamically learned MACs to sticky entries — no manual MAC entry needed, (3) write memory after the 3 authorised devices have connected saves the sticky entries to startup-config so they survive the reboot. Option A (aging-time 0) disables aging but does not make entries persist through reboots. Option C requires manual MAC entry. Option D default settings do not enable sticky learning or post-reboot persistence.

← Back to Home