CAM Table Overflow Attack Mitigation on Cisco Switches

What happens if there is a system or user on a VLAN that is infected by malware or is deliberately running a scanning program?  This can cause a massive amount of entries in the CAM Table of the switch.  Think of the CAM table as the MAC address table.  There is a certain limit of this memory that is switch platform dependent.  If the attacking system floods a HUGE number of MAC addresses via different Layer 2 frames to the switch, the switch is going to “learn” as many of these as it can by putting them in the CAM table.  This can therefore cause a table overflow!  That overflow will then result two possible failure scenarios:

  1. The switch can no longer learn MAC addresses and therefore starts flooding traffic to other ports when it does not need to
  2. The switch slows down forwarding as the table is so large

Either way, the network can crash.  Ouch.

A program that can perform this flooding of MACs is called “macof”.  Macof is a member of the Dsniff toolset.

The way to look at the MAC address table on a switch is as follows:

CellSwitch# show mac address-table dynamic

This will output the MAC address table.

What if you want to see the MAC address count?  Use the following command:

CellSwitch# show mac address-table count [vlan xxx]

Usually we only need 1 or two MAC addresses per interface on a switch, but with wodays networking becoming more complex (users having VMs – Virtual Machines), it may be necessary to allow 4 or 5 MACs on a switch port.

Example Configuration

Here’s an example:

CellSwitch# config t
CellSwitch(config)# interface gig 0/2
CellSwitch(config-if)# switchport mode access

It should be noted here that switchport mode access defaults to allowing only 1 MAC address.  Let’s extend that default, then to 6 MACs, so continuing our configuration:

CellSwitch(config-if)# switchport port-security
CellSwitch(config-if)# switchport port-security maximum 6

If we stopped here, because port security is enabled, if there are more than 6 MACs seen the switch will shut the port down!  So this is very strict.  Let’s be a little gentler by adding the following command that will allow only the first 6 MACs:

CellSwitch(config-if)# switchport port-security violation restrict

This restriction will send SNMP messages and Syslog messages but not shut down the port.  OK, we can finish the config:

CellSwitch(config-if)# end


There are a couple of great show commands you can use:

  • To see the port security configuration: ‘show port-security [port #]’
  • To see the number of MAC addresses and what they are: ‘show port-security address’

We hope this helps you understand this feature and its usage.

Leave a Comment

Contact Us Here

Please verify.
Validation complete :)
Validation failed :(
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top