show mac address-table – CAM Table, MAC Learning, Port Security & Attacks

1. What Is the MAC Address Table (CAM Table)?

The MAC address table — also called the CAM table (Content Addressable Memory table) — is the switch's forwarding database. It maps Layer 2 MAC addresses to the physical switch ports (and VLANs) where those devices were last seen. The switch uses this table to make intelligent forwarding decisions: rather than flooding every frame out every port, it sends frames only out the specific port where the destination device lives.

  Without MAC address table (switch behaviour on first frame):
  PC-A sends frame to PC-B. Switch has never seen PC-B's MAC.
  Switch FLOODS the frame out ALL ports except the incoming port.
  PC-B receives it and replies. Switch learns PC-B's port from the reply.

  With MAC address table (subsequent frames):
  PC-A sends frame to PC-B. Switch looks up PC-B's MAC: found on Gi0/3.
  Switch UNICASTS the frame ONLY out Gi0/3. All other ports are silent.

  This is the fundamental difference between a HUB (always floods)
  and a SWITCH (forwards intelligently using the CAM table).

  CAM table structure:
  +--------+-------------------+----------+------------+
  | VLAN   | MAC Address       | Type     | Port       |
  +--------+-------------------+----------+------------+
  |   1    | 0001.63ab.cd22    | DYNAMIC  | Gi0/1      |
  |  10    | 0050.56be.325c    | STATIC   | Gi0/2      |
  |  20    | 0090.abcd.1234    | SECURE   | Gi0/10     |
  | 100    | aabb.ccdd.eeff    | DYNAMIC  | Gi0/24     |
  +--------+-------------------+----------+------------+

2. How MAC Address Learning Works — Step by Step

  MAC learning process:

  Initial state: CAM table is empty.

  Step 1 — Frame arrives on port Gi0/1 from PC-A (MAC: 0011.AAAA.AAAA):
    Source MAC 0011.AAAA.AAAA seen on Gi0/1, VLAN 10
    -> ADD to table: VLAN 10 | 0011.AAAA.AAAA | DYNAMIC | Gi0/1
    Aging timer: RESET to 300 seconds for this entry

  Step 2 — Destination lookup (PC-B: 0022.BBBB.BBBB):
    Not in table -> UNKNOWN UNICAST
    -> FLOOD frame out ALL ports in VLAN 10 EXCEPT Gi0/1 (ingress)

  Step 3 — PC-B replies from port Gi0/3:
    Source MAC 0022.BBBB.BBBB seen on Gi0/3, VLAN 10
    -> ADD to table: VLAN 10 | 0022.BBBB.BBBB | DYNAMIC | Gi0/3

  Step 4 — PC-A sends second frame to PC-B:
    Destination 0022.BBBB.BBBB -> FOUND in table on Gi0/3
    -> UNICAST frame directly out Gi0/3 only
    -> RESET aging timer for 0011.AAAA.AAAA (entry refreshed)

  Step 5 — PC-A is silent for 300 seconds:
    Aging timer for 0011.AAAA.AAAA reaches zero
    -> REMOVE entry from table
    Next frame from PC-A will trigger a new learn + flood cycle

3. show mac address-table — Full Command Reference

! ── Full table ────────────────────────────────────────────────────────────
Switch# show mac address-table

          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       ----        -----
   1    0001.63ab.cd22    DYNAMIC     Gi0/1
  10    0050.56be.325c    STATIC      Gi0/2
  20    0090.abcd.1234    SECURE      Gi0/10
 100    aabb.ccdd.eeff    DYNAMIC     Gi0/24
 100    aabb.ccdd.1111    DYNAMIC     Gi0/24   <-- two MACs on same port (trunk or hub)

Total Mac Addresses for this criterion: 5

! ── Filter by VLAN ────────────────────────────────────────────────────────
Switch# show mac address-table vlan 10
! Shows only MAC entries in VLAN 10 -- useful when investigating a specific VLAN

! ── Filter by interface ───────────────────────────────────────────────────
Switch# show mac address-table interface GigabitEthernet0/24
! Shows only MACs learned on Gi0/24 -- useful to confirm what's connected

! ── Filter by MAC address ─────────────────────────────────────────────────
Switch# show mac address-table address aabb.ccdd.eeff
! Find which port a specific MAC is connected to

! ── Show only dynamic entries ─────────────────────────────────────────────
Switch# show mac address-table dynamic
! Excludes static and secure entries -- shows only auto-learned MACs

! ── Show table count ──────────────────────────────────────────────────────
Switch# show mac address-table count
Mac Entries for all vlans:
Dynamic Address Count  :  4842
Static  Address Count  :  3
Secure  Address Count  :  12
System  Address Count  :  0
Total Mac Address Space Available:  3196

! ── Show aging time ───────────────────────────────────────────────────────
Switch# show mac address-table aging-time
Global Aging Time:  300

! ── Clear dynamic entries ─────────────────────────────────────────────────
Switch# clear mac address-table dynamic
Switch# clear mac address-table dynamic vlan 10
Switch# clear mac address-table dynamic interface GigabitEthernet0/1
Switch# clear mac address-table dynamic address 0011.AAAA.AAAA

4. Output Fields — Field-by-Field Explanation

Field	Description	Details
VLAN	VLAN ID the MAC address belongs to	Each VLAN maintains its own separate MAC table. The same MAC address can exist in different VLANs simultaneously (e.g., same MAC on a trunk port carrying multiple VLANs). MAC entries in VLAN 1 are for the native/management VLAN.
MAC Address	The 48-bit Layer 2 hardware address of the device	Displayed in Cisco dotted notation (xxxx.xxxx.xxxx). First 24 bits = OUI (Organizationally Unique Identifier — identifies the manufacturer). Last 24 bits = device-specific identifier. OUI lookup can identify device manufacturer.
Type	How the MAC address entry was created	DYNAMIC: auto-learned from incoming frames, subject to aging. STATIC: manually configured, permanent, no aging. SECURE: learned or configured via port security, may be sticky.
Ports	The switch port where the MAC address was last seen	For access ports: typically one MAC per port (end device). For trunk ports: many MACs (traffic from multiple downstream devices). "CPU" appears for control-plane traffic (STP BPDUs, CDP, etc.).

MAC Address Format — Notation Styles

Format	Example	Used By
Cisco dotted notation	0011.2233.4455	Cisco IOS (show mac address-table)
Colon-separated	00:11:22:33:44:55	Linux, macOS, most non-Cisco equipment
Hyphen-separated	00-11-22-33-44-55	Windows (ipconfig /all), IEEE standard

5. Entry Types — Dynamic, Static, Secure, and Sticky

Type	How Created	Ages Out?	Survives Reload?	Typical Use
DYNAMIC	Automatically learned from source MAC of incoming frames	Yes — removed after aging timer (default 300 sec inactivity)	No — lost on reload or link down	Standard end-user devices; the vast majority of MAC entries
STATIC	Manually configured by administrator	No — permanent until manually removed	Yes (if in running-config and saved)	Critical servers/printers; prevent MAC-based attacks on specific devices; permanent forwarding for infrastructure
SECURE	Learned or manually configured via port security	Depends on port security config	Only if sticky (saved to running-config)	Access ports with port security — restrict which MACs can use a port
STICKY (Secure)	Dynamically learned AND saved to running-config by port security	No — written to config, persists across reloads if saved	Yes — written to running-config, survives reload if copied to startup-config	Best of both worlds: auto-learn the first device connected, then lock that port permanently to that MAC

Configuring Static MAC Entries

! Add a static MAC entry — permanent, no aging:
Switch(config)# mac address-table static 0050.56BE.325C vlan 10 interface Gi0/2

! Verify:
Switch# show mac address-table address 0050.56BE.325C
Vlan    Mac Address       Type        Ports
----    -----------       ----        -----
  10    0050.56be.325c    STATIC      Gi0/2

! Remove a static entry:
Switch(config)# no mac address-table static 0050.56BE.325C vlan 10 interface Gi0/2

6. Aging Timer — Management and Tuning

The aging timer controls how long a dynamic MAC entry remains in the table without being refreshed. Every time a frame arrives from a MAC address, its aging timer resets to the full value. If the timer reaches zero (no frames received), the entry is removed.

! Check current aging time:
Switch# show mac address-table aging-time
Global Aging Time:  300          <-- 300 seconds = 5 minutes (default)

! Change global aging time:
Switch(config)# mac address-table aging-time 600
! Range: 10–1000000 seconds; 0 = disable aging (entries never removed)

! Change aging time per VLAN:
Switch(config)# mac address-table aging-time 120 vlan 10
! VLAN 10 entries age out in 120 seconds; other VLANs use global setting

! Disable aging completely (not recommended for production):
Switch(config)# mac address-table aging-time 0
! Entries only removed manually or on link down

Aging Time Setting	Effect	When to Use
Very short (10–60 sec)	Entries age out quickly; more flooding of returning devices; table stays small	Environments with very mobile devices; testing; high security where stale entries are a risk
Default (300 sec)	Balance between table freshness and re-learning overhead	Standard enterprise environments — recommended
Longer (600–1000 sec)	Entries persist longer; less re-flooding for infrequently communicating devices	Environments with devices that communicate infrequently (e.g., backup servers, printers)
Disabled (0)	Entries never age out; table grows until full; stale entries for disconnected devices remain	Rarely appropriate; only for special static-like environments

7. VLANs, Trunk Ports, and MAC Table Entries

Each VLAN maintains a logically separate MAC address table. A MAC address is always associated with a specific VLAN — the same physical MAC can appear in the table multiple times if it communicates across multiple VLANs (typically on a trunk port).

  Multi-VLAN MAC address table example:
  Switch# show mac address-table

  Vlan    Mac Address       Type        Ports
  ----    -----------       ----        -----
    10    00A1.B2C3.D4E5    DYNAMIC     Gi0/12   <-- PC in VLAN 10
    10    00BB.CCDD.EE01    DYNAMIC     Gi0/1    <-- another PC in VLAN 10
    20    0050.56BE.325C    DYNAMIC     Gi0/12   <-- same port Gi0/12, VLAN 20
    20    00F6.12AB.3456    DYNAMIC     Gi0/15   <-- PC in VLAN 20
    30    0011.2233.4455    DYNAMIC     Gi0/12   <-- same port Gi0/12, VLAN 30
     1    aabb.ccdd.0001    DYNAMIC     Gi0/24   <-- management VLAN
     1    0100.0CCC.CCCC    STATIC      CPU      <-- Cisco CDP/VTP multicast

  Interpretation:
  Gi0/12 has MACs in VLAN 10, 20, and 30 -> this is a TRUNK PORT
  (carries tagged frames for multiple VLANs)
  Gi0/1, Gi0/15, Gi0/24 each have MACs in only one VLAN -> ACCESS PORTS
  CPU entry -> control-plane MAC (used for STP, CDP, VTP, LLDP)

  Key rules:
  - Broadcast/unknown unicast within VLAN 10 is flooded ONLY to VLAN 10 ports
  - VLAN 20 traffic never reaches VLAN 10 ports (Layer 2 isolation)
  - The trunk port (Gi0/12) carries ALL VLANs and appears in all VLAN entries

8. Port Security — Restricting MAC Addresses Per Port

Port security allows an administrator to limit the number and identity of MAC addresses that can use a switch port. When a violation occurs (an unauthorised MAC is detected), the switch can take one of three configurable actions.

Port Security Violation Modes

Mode	Frames from Violating MAC	Port Status	Syslog / Trap	Violation Counter	Recovery
Shutdown (default)	Dropped	err-disabled (effectively shut down)	Yes — syslog + SNMP trap	Incremented	Manual: `shutdown` then `no shutdown`, OR auto-recovery timer
Restrict	Dropped	Remains UP — allows permitted MACs to continue	Yes — syslog + SNMP trap	Incremented	Automatic — port stays up; only offending frames dropped
Protect	Dropped silently	Remains UP	No — silent drop; no notification	Not incremented	Automatic — port stays up; violation invisible unless proactively checked

Port Security Configuration

! ── Basic port security (max 1 MAC, shutdown on violation) ───────────────
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access ! Port security requires access mode
Switch(config-if)# switchport port-security ! Enable port security
Switch(config-if)# switchport port-security maximum 1 ! Allow only 1 MAC address
Switch(config-if)# switchport port-security violation shutdown ! Default mode

! ── Sticky MAC — auto-learn first device, lock permanently ───────────────
Switch(config-if)# switchport port-security mac-address sticky
! Switch learns the first MAC that connects and saves it to running-config as:
! switchport port-security mac-address sticky 0011.AAAA.AAAA
! This MAC is now "sticky" -- persists across reloads if config saved

! ── Manually specify allowed MAC ─────────────────────────────────────────
Switch(config-if)# switchport port-security mac-address 0050.56BE.325C
! Only this specific MAC is allowed on this port; all others trigger violation

! ── Set violation mode to restrict instead of shutdown ───────────────────
Switch(config-if)# switchport port-security violation restrict

! ── Auto-recovery from err-disabled ──────────────────────────────────────
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
! Port automatically re-enables after 300 seconds

! ── Verify port security ──────────────────────────────────────────────────
Switch# show port-security interface GigabitEthernet0/1

Port Security : Enabled
Port Status : Secure-up <-- or Secure-shutdown if violated
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1 <-- sticky entry learned and saved
Last Source Address:Vlan : 0011.AAAA.AAAA:10
Security Violation Count : 0

! ── Show all ports with port security ────────────────────────────────────
Switch# show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
- ------------- ----------- ----------------- ---------------
Gi0/1 1 1 0 Shutdown
Gi0/10 2 1 0 Restrict

9. MAC Flooding Attack

A MAC flooding attack (also called a CAM table overflow attack) is a Layer 2 attack where a malicious device sends millions of frames with spoofed, random source MAC addresses. This intentionally fills the switch's CAM table, forcing it into a "fail-open" state where it floods all frames out every port — turning the switch into a hub.

  MAC flooding attack:

  Attacker sends frames with random MACs:
  Frame 1: src=AAAA.0001.0001 dst=...
  Frame 2: src=AAAA.0001.0002 dst=...
  Frame 3: src=AAAA.0001.0003 dst=...
  ... (thousands per second)

  Switch CAM table fills up (e.g., all 8K entries occupied):
  Legitimate MAC for PC-B ages out and cannot be re-learned (table full)
  New frame destined for PC-B -> UNKNOWN UNICAST -> FLOODED to all ports

  Attacker on Gi0/5 now RECEIVES ALL frames including:
  - Banking website sessions of PC-A (VLAN 10)
  - Corporate email of PC-C (VLAN 10)
  - Any unencrypted traffic in the VLAN

  This is equivalent to a network tap -- attacker can capture credentials

Mitigations

Port security with MAC limit: switchport port-security maximum 5 — limits how many MACs any one port can learn; attacker's flood is contained to the maximum on their port
Dynamic ARP Inspection (DAI): validates ARP packets against DHCP snooping binding table — reduces the effectiveness of attacks that follow CAM overflow
DHCP snooping: limits which ports can act as DHCP servers; builds a binding table used by DAI
802.1X port authentication: requires devices to authenticate before the port becomes active — prevents unauthenticated attackers from connecting at all

10. MAC Flapping — Diagnosis and Resolution

MAC flapping occurs when the switch sees the same source MAC address arriving on different ports in rapid succession. The switch keeps updating the MAC table entry to point to alternating ports, causing the flapping. This typically indicates a Layer 2 loop.

  MAC flapping caused by a Layer 2 loop:

  PC-A (MAC: 0011.AAAA.AAAA) is connected to SW1-Gi0/1.
  There is a loop: SW1-Gi0/3 --> SW2 --> SW1-Gi0/4 (no STP blocking)

  PC-A sends a frame:
  SW1 learns: 0011.AAAA.AAAA on Gi0/1
  Frame loops around: arrives at SW1 Gi0/4 (via SW2)
  SW1 re-learns: 0011.AAAA.AAAA on Gi0/4  <-- FLAP!
  Frame loops again: arrives at SW1 Gi0/3
  SW1 re-learns: 0011.AAAA.AAAA on Gi0/3  <-- FLAP!
  (continues until STP converges or network collapses)

  Syslog messages indicating flapping:
  %SW_MATM-4-MACFLAP_NOTIF: Host 0011.AAAA.AAAA in vlan 10 is flapping
  between port Gi0/1 and port Gi0/4

  Other causes of MAC flapping:
  - Unmanaged switches (no STP) connected creating loops
  - EtherChannel misconfiguration (LACP/PAgP mismatch)
  - VM mobility (virtual MAC moving between hypervisor hosts)
  - Dual-homed server with two active uplinks in the same VLAN

Diagnosing MAC Flapping

! Check syslog for flapping messages:
Switch# show logging | include MACFLAP
%SW_MATM-4-MACFLAP_NOTIF: Host 0011.aaaa.aaaa in vlan 10 is flapping
between port Gi0/1 and port Gi0/4

! Check MAC address table for the flapping MAC:
Switch# show mac address-table address 0011.AAAA.AAAA
Vlan    Mac Address       Type        Ports
  10    0011.aaaa.aaaa    DYNAMIC     Gi0/4  <-- currently on Gi0/4 (was Gi0/1)

! Check if STP is active on both ports (should be blocking one):
Switch# show spanning-tree vlan 10 interface Gi0/4
Vlan                Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
VLAN0010            Altn BLK 4         128.4    P2p  <-- should be blocking
! If this shows FWD (forwarding) for both Gi0/1 and Gi0/4 -> STP not blocking = loop

! Check for physical loop (CDP neighbors):
Switch# show cdp neighbors
! Look for unexpected neighbour connections forming a loop

11. MAC Spoofing

MAC spoofing is when an attacker changes their device's MAC address to impersonate another device. Against the CAM table, this causes the switch to point the victim's MAC entry to the attacker's port — redirecting the victim's traffic to the attacker.

  MAC spoofing attack:

  Normal state:
  Switch CAM: 0011.AAAA.AAAA -> Gi0/1 (PC-A's legitimate port)

  Attacker on Gi0/5 changes their MAC to 0011.AAAA.AAAA and sends a frame:
  Switch sees source MAC 0011.AAAA.AAAA on Gi0/5
  -> Updates CAM: 0011.AAAA.AAAA -> Gi0/5 (now points to attacker!)

  Traffic intended for PC-A (0011.AAAA.AAAA) is now forwarded to Gi0/5
  Attacker intercepts the traffic. PC-A receives nothing.

Mitigations against MAC spoofing:

Port security with sticky MAC: once the legitimate MAC is locked to a port, another port claiming the same MAC triggers a violation
Dynamic ARP Inspection: validates IP-to-MAC bindings using the DHCP snooping table — prevents ARP spoofing which often accompanies MAC spoofing
802.1X: requires cryptographic authentication before any traffic is allowed — the MAC address alone cannot grant access

12. CAM Table Overflow — Size Limits and Consequences

Every switch has a finite CAM table determined by its ASIC hardware. Understanding the limits and what happens at overflow is critical for both design and security.

! Check current table utilisation:
Switch# show mac address-table count

Mac Entries for all vlans:
Dynamic Address Count  :  7841
Static  Address Count  :  3
Secure  Address Count  :  12
System  Address Count  :  6
Total Mac Address Space Available:  161    <-- ONLY 161 ENTRIES LEFT!

! This switch is nearly at capacity -- MAC flooding risk is high

Switch Family	Typical CAM Size	Notes
Cisco Catalyst 2960	8,192 entries	Small enterprise / access layer
Cisco Catalyst 3750/3850	12,288–32,768 entries	Distribution / aggregation layer
Cisco Catalyst 9300	32,768+ entries	Modern access / distribution
Cisco Catalyst 9500	128,000+ entries	Core / data centre aggregation

When the table is full: The switch cannot learn new MAC addresses. Frames with unknown destination MACs are flooded out all ports in the VLAN. This degrades performance and creates a security risk — ALL traffic in the VLAN is visible to every port. Port security with MAC limits is the primary defence: by capping how many MACs any one port can learn, no single attacker can fill the entire table.

13. Troubleshooting Scenarios

Symptom	Likely Cause	Diagnostic Command	Fix
Expected device MAC not in table	Device not sending frames; port shut down; cable disconnected; entry aged out	`show mac address-table`, `show interfaces Gi0/x status`	Verify physical connection; confirm port is up/up; have device send traffic to trigger MAC learning
Same MAC appearing on multiple ports	Layer 2 loop (STP not blocking); MAC spoofing attack; VM migration	`show logging \| include MACFLAP`, `show spanning-tree`	Identify and break the loop; verify STP is blocking redundant ports; investigate spoofing
Rapid growth of MAC table entries	MAC flooding attack; device with misconfigured MAC randomisation	`show mac address-table count`, `show mac address-table dynamic`	Enable port security with MAC limits on access ports; identify attacking port and isolate it
Port in err-disabled state	Port security violation (too many MACs or unauthorised MAC detected)	`show interfaces status err-disabled`, `show port-security interface Gi0/x`	Identify and remove unauthorized device; `shutdown` then `no shutdown` to restore port
Intermittent connectivity for specific device	MAC entry timing out and device not sending enough traffic to maintain entry; aging time too short	`show mac address-table address <MAC>`	Increase aging time for the VLAN; or configure a static MAC entry for the device

14. Key Points & Exam Tips

The MAC address table (CAM table) maps MAC addresses to switch ports and VLANs. Switches forward frames to the specific port of the destination MAC; when unknown, they flood out all ports in the same VLAN.
Learning process: Switch reads the SOURCE MAC of every incoming frame and records it against the incoming port and VLAN. Destination lookup uses this learned data for forwarding.
Entry types: DYNAMIC (auto-learned, ages out after default 300 sec), STATIC (manually configured, permanent), SECURE (port security), STICKY (auto-learned but saved to config, persists across reloads if saved).
Aging timer: Default 300 seconds. Resets to full value every time a frame arrives from that MAC. Reaches zero with no traffic → entry removed → next frame causes re-learn + unknown unicast flood.
Port security violation modes: Shutdown (err-disables port, logs — default), Restrict (drops violating frames, logs, port stays up), Protect (drops silently, no log, port stays up).
Sticky MAC: combines auto-learning with persistence — learned MAC is written to running-config as a secure static entry. Survives reload if copy running startup is performed.
MAC flooding attack: fills CAM table with random spoofed MACs → switch floods all frames → attacker sees all traffic. Mitigate with port security MAC limits.
MAC flapping: same MAC seen on multiple ports rapidly → indicates Layer 2 loop or MAC spoofing. Check show logging for MACFLAP messages; verify STP is blocking redundant paths.
Table overflow: switch cannot learn new MACs → all unknown unicast flooded → performance degradation and security risk (all traffic visible to all ports in VLAN).
Key commands: show mac address-table, show mac address-table vlan [id], show mac address-table interface [int], show mac address-table count, show port-security interface [int], clear mac address-table dynamic.

15. Show MAC Address-Table Quiz

1. A switch receives a frame from PC-A on Gi0/1 destined for PC-B. PC-B's MAC address is not yet in the CAM table. What does the switch do, and what happens to PC-A's MAC address?

A. The switch drops the frame — it cannot forward without a table entry for the destination B. The switch sends an ARP request to find PC-B's port before forwarding C. The switch records PC-A's source MAC against Gi0/1 in the CAM table (MAC learning), then floods the frame out all ports in the same VLAN except Gi0/1 (unknown unicast flood). When PC-B replies, its MAC is also learned D. The switch forwards the frame out the default gateway port

Correct answer is C. MAC learning and unknown unicast flooding are the two fundamental switch behaviours that operate simultaneously on every frame. Step 1 — MAC learning: the switch always inspects the SOURCE MAC address of every incoming frame. PC-A's MAC is recorded against the ingress port (Gi0/1) and VLAN. This is how the switch builds its forwarding database. Step 2 — Forwarding decision: the switch looks up the DESTINATION MAC. If found, it unicasts the frame to the specific port. If NOT found (unknown unicast), it floods the frame out every port in the same VLAN except the ingress port. ARP (option B) is a Layer 3 function performed by the router or end device — the switch itself does not use ARP for forwarding decisions. The switch never drops frames due to an unknown destination (option A) — it always floods unknowns. This is why switches intelligently forward over time: after a brief learning period, all MACs are known and flooding stops.

2. An engineer configures port security with sticky MAC on Gi0/5: `switchport port-security mac-address sticky`. A PC with MAC 0011.AAAA.AAAA connects and sends traffic. A week later, the switch is reloaded. What happens?

A. The sticky MAC is lost on reload — the port must re-learn the MAC from scratch B. If copy running-config startup-config was performed before reload, the sticky MAC persists. The running-config has the sticky MAC saved as a secure static entry:

switchport
                  port-security mac-address sticky 0011.AAAA.AAAA

. After reload, the port accepts only this MAC C. Sticky MACs are always lost on reload regardless of whether config was saved D. The port goes into err-disabled after reload because the sticky MAC no longer matches

Correct answer is B. Sticky MAC addresses bridge the gap between dynamic (convenient but volatile) and static (permanent but requires manual configuration) MAC entries. When sticky learning is enabled, the switch dynamically learns the MAC address from the first device that connects and immediately writes it to the running-configuration as a secure static entry: "switchport port-security mac-address sticky 0011.AAAA.AAAA". This means it's in RAM (running-config). If the administrator then issues

copy running-config
                  startup-config

(or write memory), the sticky MAC is saved to NVRAM (startup-config). After a reload, the startup-config is loaded, the sticky MAC is restored, and the port continues to only allow that MAC — no re-learning needed. If the admin does NOT save the config before reload, the sticky MAC is lost (like any unsaved running-config change) and the port will re-learn the first MAC that connects. This is the most common sticky MAC exam scenario.

3. A network engineer observes syslog messages: `%SW_MATM-4-MACFLAP_NOTIF: Host aabb.cc00.1234 in vlan 20 is flapping between port Gi0/2 and port Gi0/5`. What are the two most likely causes, and what should be checked first?

A. The device has two NICs and is load-balancing traffic across both B. The MAC address table aging time is too short C. Port security is blocking the MAC and redirecting it to a different port D. Most likely: (1) a Layer 2 loop — STP not blocking a redundant path causes frames to arrive from multiple directions; or (2) MAC spoofing — attacker on Gi0/5 cloning the MAC of the legitimate device on Gi0/2. Check show spanning-tree vlan 20 first to verify STP is blocking the correct port

Correct answer is D. MAC flapping — a MAC address rapidly updating between different ports — has two primary causes in production networks. Cause 1 (most common): Layer 2 loop. When STP fails to block a redundant path (STP not running on a device, STP topology change, unmanaged switch in the path), a broadcast frame enters a loop and the switch sees the same source MAC arriving on multiple ports in sequence. Frames loop indefinitely, each time updating the MAC table entry. Diagnostic: show spanning-tree vlan 20 — if both Gi0/2 and Gi0/5 are in Forwarding state and they share a loop, STP is the problem. Cause 2: MAC spoofing. An attacker on Gi0/5 has cloned the MAC of the legitimate device on Gi0/2 and is sending frames — the switch sees the MAC on both ports alternately. Cause 3 (legitimate): VM live migration — a virtual machine moves between hypervisor hosts, and its virtual MAC appears on a different physical switch port. This is expected in virtualised environments and typically shows as a brief flap. An aging timer that's too short (option B) would cause re-learning but not flapping between ports.

4. A switch port Gi0/10 has port security configured with violation mode "Restrict" and maximum 2 MACs. A third device connects and sends a frame. What happens to the legitimate devices already on the port, and what happens to the third device's frames?

A. The first two legitimate devices continue operating normally — their frames are forwarded. The third device's frames are dropped (not forwarded), and a syslog message and SNMP trap are generated. The port remains UP throughout B. All three devices' frames are dropped and the port goes err-disabled C. The port drops the third device silently with no logging — this is Restrict mode D. The oldest MAC is evicted to make room for the new device

Correct answer is A. This tests the critical distinction between the three port security violation modes. Restrict mode is designed for situations where you want to block unauthorised devices but cannot afford to disrupt the legitimate devices already operating. Behaviour: frames from the authorised MACs (up to the maximum count = 2) continue to be forwarded normally. Frames from any MAC that would exceed the maximum are dropped. Syslog generates a violation message and the violation counter increments — so you know it happened. The port remains in an UP state throughout — it never err-disables. This differs from Shutdown (entire port err-disables, all devices lose connectivity) and Protect (same as Restrict but silent — no syslog, no SNMP trap, counter not incremented). For exam: Restrict = drops violating frames + logs + port stays UP. Shutdown = drops violating frames + logs + port err-disables. Protect = drops violating frames + NO log + port stays UP.

5. An attacker uses a tool to send 50,000 frames per second with random source MAC addresses from port Gi0/47 on a switch. The switch has 8,192 CAM table entries. After the attack fills the table, what does the switch do with a legitimate frame from PC-A (whose MAC entry was displaced)?

A. The switch drops the frame from PC-A — the table is full so no forwarding is possible B. The switch forwards the frame to the default gateway for routing C. The switch floods the frame out ALL ports in the VLAN — because PC-B's MAC is unknown (displaced from table), the frame becomes unknown unicast and is flooded. The attacker on Gi0/47 receives PC-A's traffic along with every other port in the VLAN D. The switch buffers the frame until a table entry frees up

Correct answer is C. This is the MAC flooding attack explained in full. The attacker's goal is specifically to fill the CAM table with fake entries so that legitimate MAC entries (like PC-A → Gi0/1 and PC-B → Gi0/3) are either displaced or never re-learned after aging. Once the table is full: the switch cannot learn any new MACs. When PC-A sends a frame to PC-B, PC-B's MAC is unknown (not in the full table). The switch treats this as unknown unicast and floods it out ALL ports in the VLAN — including Gi0/47 where the attacker is listening. The attacker is now receiving all traffic in the VLAN as if the switch were a hub. The switch never drops frames to unknown destinations (option A) — it always floods them. Port security with a MAC limit (e.g., switchport port-security maximum 5) on Gi0/47 would contain the attack to 5 fake MACs from that port — the rest of the table is protected.

6. An engineer runs `show mac address-table interface Gi0/12` and sees MAC addresses from VLAN 10, VLAN 20, and VLAN 30 all on that single port. What does this indicate about Gi0/12?

A. A MAC flooding attack — legitimate ports only have one VLAN's MACs B. Gi0/12 is a trunk port — it carries tagged frames from multiple VLANs, so multiple VLANs' MAC entries accumulate on it. Each MAC is tracked per VLAN in the table C. Gi0/12 has a misconfigured VLAN membership — access ports should only have one VLAN D. The switch is confusing VLAN assignments for this port

Correct answer is B. A trunk port carries 802.1Q-tagged frames for multiple VLANs simultaneously. Each frame arrives with a VLAN tag identifying which VLAN it belongs to. The switch learns the source MAC from each frame and associates it with both the port AND the VLAN from the 802.1Q tag. Therefore, a trunk port accumulates MAC entries across all the VLANs it carries. Multiple VLANs on a single port is the definition of a trunk. An access port is assigned to exactly one VLAN — it cannot carry traffic from multiple VLANs, so it would only have MAC entries in one VLAN. Seeing MACs from three VLANs on Gi0/12 is strong evidence it is configured as a trunk (switchport mode trunk) and connected to another switch or router-on-a-stick router. Verify with: show interfaces Gi0/12 trunk.

7. An access port Gi0/5 has port security configured with maximum 1 MAC and violation mode shutdown. The port is currently in err-disabled state. What is the correct procedure to restore the port to operation?

A. The port auto-recovers after 300 seconds — no action needed B. Reload the switch to clear all err-disabled ports C. Clear the MAC address table entry and the port will auto-recover D. First investigate and remove the unauthorised device. Then manually recover: enter interface config, issue shutdown, then no shutdown. Optionally clear the dynamic MAC: clear mac address-table dynamic interface Gi0/5. Alternatively configure errdisable auto-recovery

Correct answer is D. Port security violation mode "Shutdown" places the port in err-disabled state — this is a hard shutdown that requires deliberate action to recover. Unlike "Restrict" and "Protect" which drop violating frames while keeping the port up, "Shutdown" completely disables the port until a network administrator investigates and manually restores it. The correct recovery procedure: (1) Investigate:

show port-security
                  interface Gi0/5

to see the last violating MAC address. Identify and remove the unauthorised device. (2) Manual recovery: in interface configuration, issue shutdown followed by no shutdown. This resets the port from err-disabled to normal. (3) Optional — configure auto-recovery: errdisable recovery cause psecure-violation and errdisable recovery interval 300 causes the port to auto-recover after 300 seconds. However, auto-recovery is generally not recommended for security violations — you want a human to investigate why it triggered before the port comes back up. Simply clearing the MAC table (option C) does not release an err-disabled port.

8. A network engineer needs to find which switch port a specific server (MAC address 0050.56BE.AABB) is connected to across a multi-switch campus network. What is the most efficient approach using the MAC address table?

A. Run

show mac address-table address
                  0050.56BE.AABB

on the distribution or core switches first. If the MAC appears on a trunk port, move down to access-layer switches connected via that trunk and repeat the lookup until the MAC appears on an access port — that is the server's actual connection B. Use show arp on the router — the ARP table shows which switch port each device is on C. Check the DHCP server's lease table to find the switch port D. The MAC address table is per-switch — there is no way to trace a MAC across multiple switches

Correct answer is A. Tracing a MAC address through a multi-switch network requires following the MAC entry hop-by-hop through the switching hierarchy. The MAC entry for a server will appear on multiple switches: on access-layer switches it appears on the specific access port. On distribution/core switches it appears on a trunk port leading toward the access switch. The technique: (1) Start at the distribution or core switch:

show mac address-table address
                  0050.56BE.AABB

. If the result is a trunk port (e.g., Gi1/0/48), that trunk leads to another switch. (2) Move to the switch connected via that trunk and repeat. Continue until the MAC appears on an access port (non-trunk) — that is the physical switch and port the server is directly connected to. show arp on the router (option B) shows IP-to-MAC mappings but not switch ports. The DHCP server (option C) shows MAC-to-IP leases but not switch ports. Option D is incorrect — each switch independently records MAC-to-port mappings for traffic passing through it, allowing the hop-by-hop trace technique.

9. The command `show mac address-table count` on a Catalyst 2960 shows: Dynamic: 8,100, Static: 3, Total Available: 89. What does this indicate, and what immediate action should the engineer take?

A. This is normal for a busy switch — no action needed B. Reduce the aging time to 10 seconds to clear old entries faster C. The CAM table is nearly full (only 89 entries remaining on an 8,192-entry table). This could be a MAC flooding attack. Check show mac address-table dynamic for suspicious patterns (sequential MACs from one port). Enable port security with MAC limits on access ports immediately D. Upgrade the switch firmware to increase the CAM table size

Correct answer is C. 8,100 dynamic entries on a switch with 8,192 total capacity means only 89 entries remain before the table overflows. This is a critical capacity warning. Normal enterprise switches rarely approach their CAM table limits in healthy operation — an access-layer 2960 with 48 ports typically sees 1–3 MACs per access port (hundreds total), far below 8K. Seeing 8,100 entries strongly suggests a MAC flooding attack. Investigation steps: (1) show mac address-table dynamic | count — confirm the count. (2) Look for patterns: show mac address-table dynamic | include AAAA or examine if many MACs share a similar OUI prefix (indicating a spoofing tool). (3) Identify which port has the most entries:

show mac address-table
                  interface Gi0/47

— if one port has thousands of MACs, that's the attack source. Immediate mitigation: enable port security on all access ports: switchport port-security maximum 5 — this limits each port to 5 MACs maximum, containing any flooding to a tiny fraction of the table regardless of the attack rate. Reducing aging time (option B) could worsen the situation by removing legitimate entries faster while the attacker keeps refreshing fake ones.

10. An engineer wants to permanently prevent a specific MAC address (1234.5678.ABCD) from ever accessing VLAN 50 on a switch, regardless of which port it connects to. What configuration achieves this?

A. Configure port security maximum 0 on all VLAN 50 ports B. Configure a static MAC address entry pointing the MAC to a null/drop interface, or use a VLAN ACL (VACL) to drop all traffic from that MAC in VLAN 50. A static MAC entry to interface None: mac address-table static 1234.5678.ABCD vlan 50 drop on supported platforms C. Delete the MAC entry from the table using clear mac address-table D. Block the MAC using a standard ACL on all VLAN 50 interfaces

Correct answer is B. Standard port security only controls which MACs are allowed on a specific port — it cannot block a MAC network-wide regardless of which port it uses. To block a specific MAC from an entire VLAN, two approaches work on Cisco equipment. Approach 1 — Static MAC entry with drop action (supported on some Catalyst platforms): mac address-table static 1234.5678.ABCD vlan 50 drop — creates a permanent entry that drops all frames from this MAC in VLAN 50, regardless of ingress port. Approach 2 — VLAN Access Control List (VACL): configure a MAC ACL matching the specific MAC, apply it as a VLAN filter (VACL) on VLAN 50 with a "drop" action — this drops frames from that MAC anywhere in VLAN 50. Standard ACLs (option D) operate at Layer 3 and filter IP traffic on routed interfaces — they do not filter based on MAC addresses at Layer 2 within a VLAN. Clearing the MAC table entry (option C) only temporarily removes the dynamic entry — the device will simply re-learn it next time it sends a frame. Setting max MACs to 0 (option A) would block all devices including legitimate ones.

← Back to Home