A CAM table (Content Addressable Memory table) is a data structure inside network switches that maps device addresses to physical ports, allowing the switch to send data only where it needs to go instead of broadcasting it everywhere. It’s one of the core components that makes modern Ethernet networking fast and efficient.
How a CAM Table Works
Every device on a network has a unique identifier called a MAC address, burned into its network hardware. When a switch receives a chunk of data (called a frame), it needs to figure out which of its physical ports leads to the intended recipient. The CAM table is essentially a lookup chart: it pairs each MAC address the switch has seen with the specific port that device is connected to.
What makes CAM special is the “content addressable” part. Traditional memory (RAM) works by address: you give it a location, and it returns whatever is stored there. Content addressable memory works in reverse. You give it a piece of data, like a MAC address, and it searches all entries simultaneously in a single operation to find the matching port. This parallel search happens in hardware, which is why switches can forward millions of frames per second without slowing down.
How the Switch Learns MAC Addresses
A switch doesn’t come pre-loaded with a map of every device on your network. It builds its CAM table dynamically by watching traffic. The process works like this:
- A frame arrives. When a device sends data, the switch reads the source MAC address from the frame and notes which port it arrived on. It adds this pairing to the CAM table.
- Unknown destination, so flood. If the switch doesn’t yet have an entry for the destination MAC address, it has no choice but to send the frame out every port except the one it came in on. This is called flooding.
- The recipient responds. When the destination device replies, the switch reads that frame’s source MAC address and learns which port that device lives on. Now it has entries for both devices.
- Direct switching begins. From this point forward, the switch can send frames between those two devices directly, port to port, without flooding.
This learning process happens continuously. Every time a new device sends its first frame through the switch, the CAM table gains a new entry.
Aging Timers and Table Maintenance
CAM table entries don’t stick around forever. Each entry has an aging timer that resets every time the switch sees traffic from that MAC address. On most enterprise switches, the default aging time is 300 seconds (5 minutes). If a device stays silent for that long, its entry is removed, freeing up space in the table.
During certain network topology changes, like when a switch detects a link failure or a change in the spanning tree, the aging time drops dramatically to 15 seconds. This forces the switch to relearn where devices are located, which helps traffic find new paths quickly after a network disruption. The accelerated aging period typically lasts around 35 seconds before returning to normal.
Table Size and Capacity
CAM tables are stored in dedicated hardware memory on the switch, and that memory is finite. A typical enterprise-grade switch can hold around 32,000 MAC address entries. For most networks, this is more than enough. But in large data centers or environments with thousands of virtual machines, table capacity becomes a real design consideration.
When the CAM table fills up completely, the switch can no longer learn new addresses. Any frame destined for an unknown MAC address gets flooded to all ports, which degrades performance and, as we’ll see, creates a security risk.
Binary CAM vs. Ternary CAM
There are actually two types of CAM used in networking hardware. Binary CAM is the standard version described above: every bit in a lookup is either a 0 or a 1, and the search looks for an exact match. This is what switches use for MAC address lookups.
Ternary CAM (TCAM) adds a third state to each bit: a wildcard, often written as an asterisk. This “don’t care” state allows partial matching, which is essential for tasks like filtering traffic with access control lists or prioritizing certain types of data. TCAM is significantly more expensive, consumes more power, and generates more heat because of its extremely dense parallel circuitry. Routers and Layer 3 switches use TCAM for IP routing and policy decisions, while basic Layer 2 switching relies on binary CAM.
CAM Table Overflow Attacks
The finite size of CAM tables creates a well-known security vulnerability. In a CAM table overflow attack (also called MAC flooding), an attacker sends hundreds of thousands of frames with random, fake source MAC addresses into a switch. The switch dutifully tries to learn every one, filling its CAM table with bogus entries.
Once the table is full, legitimate entries get pushed out. The switch no longer knows which port leads to real devices, so it falls back to flooding all traffic out every port. At that point, the attacker can passively listen on their port and capture frames meant for other devices. The switch has essentially been forced to behave like an old-fashioned hub, broadcasting everything everywhere.
Network administrators defend against this with a feature called port security, which limits the number of MAC addresses a single port is allowed to learn. If a port exceeds its limit, the switch can shut the port down, drop the offending traffic, or send an alert. This simple countermeasure makes CAM overflow attacks far less practical on properly configured networks.
Why It Matters for Network Performance
Without a CAM table, every frame on a network would be flooded to every device, wasting bandwidth and exposing traffic to machines that don’t need to see it. The CAM table is what turns a switch from a dumb repeater into an intelligent forwarding device. It keeps traffic contained to only the ports that need it, which reduces congestion, improves throughput, and provides a basic layer of traffic isolation between devices on the same network.
If you’re troubleshooting connectivity issues on a switched network, the CAM table is often one of the first places to look. A missing entry means the switch hasn’t seen traffic from that device recently. A full table means the switch may be flooding traffic it shouldn’t be. Understanding how the table populates, ages, and reaches its limits gives you a practical foundation for diagnosing a wide range of Layer 2 network problems.