switchingnetworkingnetwork-plusIntermediate29 min read

What Is Content-addressable Memory in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Content-addressable Memory, often called CAM, is a super-fast lookup table built into network switches and routers. Instead of storing data at a specific address, CAM stores data by its content and returns the location where that content lives. This allows a networking device to instantly match a destination MAC address or other key to a forwarding decision, without having to search through memory one cell at a time.

Must Know for Exams

Content-addressable Memory is a frequent topic in the CCNA (200-301) and CompTIA Network+ (N10-008, N10-009) certification exams. In the CCNA exam, it appears under the objectives for switching fundamentals, specifically the MAC address table and how switches forward frames. The CCNA exam expects candidates to understand that a switch uses a CAM table to make forwarding decisions. Questions often ask about the type of memory used for the MAC address table and how the table is populated through the learning process.

For the CCNA, you will see questions such as: what does a switch do when it receives a frame with an unknown destination MAC? The correct answer is that it floods the frame out of all ports except the receiving port. This happens because the destination MAC is not yet in the CAM table. Once the target device replies, the switch learns its MAC and port association and writes it into the CAM table. The exam also tests the difference between CAM and TCAM. In more advanced CCNA topics, TCAM is linked to ACL processing and QoS classification.

In the CompTIA Network+ exam, CAM is covered under network operations and network troubleshooting. Network+ objectives include explaining the function of a switch in forwarding frames and the role of the MAC address table. The exam may present a scenario where a network slowdown occurs, and the candidate must suspect a CAM table overflow attack. Network+ also looks at the impact of switch learning on broadcast domains and collision domains.

Both exams test the concept that CAM is content-addressable, not address-addressable. A common exam question describes the difference between RAM and CAM. The correct answer states that CAM searches by content, while RAM searches by address. Another typical question asks about the memory type that allows wildcard matching: the answer is TCAM.

For higher-level Cisco certifications like CCNP Enterprise (350-401 ENCOR), TCAM is tested in depth for route lookup optimization, ACL hardware offloading, and QoS in hardware. Candidates must understand how longest prefix match works with TCAM and why route order matters. Knowing how to troubleshoot suboptimal routing caused by incorrect TCAM entry ordering is a practical skill tested in CCNP.

Exam candidates should remember that CAM is hardware-based, expensive, power-hungry, and limited in size. These characteristics explain why network devices have a finite MAC address table size, and why attacks like MAC flooding can succeed. The exam will not require you to design a CAM circuit, but you must understand its function, limitations, and relationship to switch forwarding behavior.

Simple Meaning

Imagine you have a giant library with millions of books, but you cannot remember where any of them are shelved. A normal computer memory works like a librarian who only knows book titles and shelf numbers by looking them up in an index: you give the index number, and they bring you the book. If you only have the book title, they have to walk through every shelf until they find the right one. That is slow. Content-addressable Memory works like a magical librarian who, the moment you say the book title, instantly knows the exact shelf. It does not search step by step. It compares your request against every stored entry in one single operation.

In networking, this is critical because a switch receives a frame with a destination MAC address and needs to decide which port to forward it out. The switch holds a table of MAC addresses and their associated ports. With regular memory, the switch would have to check each table entry one by one until it finds the matching MAC. That could take thousands of steps and would be far too slow for modern networks that handle millions of frames per second. CAM solves this by comparing the incoming MAC against all entries at the same time, so the switch can deliver the answer in a single clock cycle.

Another way to think about CAM is like a post office sorting machine. When a letter arrives, the machine reads the zip code and instantly shoots the letter into the correct bin. It does not read one bin label at a time to find the match. Every bin label is compared at the same moment. CAM brings that same instant parallel matching into the world of networking hardware, making it possible for switches and routers to operate at wire speed without introducing delay.

Because CAM returns only the first match, if there are duplicate entries, the memory returns the match at the lowest physical address. This behavior is important to understand for network design, especially when dealing with redundant paths or policy-based forwarding. CAM is not used to store large amounts of general data. It is purpose-built for speed and parallelism, trading off capacity and power consumption for raw lookup performance.

Full Technical Definition

Content-addressable Memory (CAM) is a hardware-based search engine implemented in ASICs or FPGAs found inside network switches, routers, and some firewalls. Unlike traditional Random Access Memory (RAM), where the CPU supplies a memory address to read data, CAM is addressed by its data content. The memory cell array in a CAM is designed to simultaneously compare an input search word against all stored entries. The comparator logic is built directly into each memory cell, enabling a fully parallel comparison in a single clock cycle.

There are two primary types of CAM used in networking: Binary CAM (BCAM) and Ternary CAM (TCAM). BCAM stores and searches for entries that consist of only 0s and 1s. This is commonly used in Layer 2 switches where the MAC address table (also called the CAM table) maps MAC addresses to switch ports. BCAM can store a MAC address in binary form and return the associated port number. TCAM is an extension that adds a third state: a wildcard or "don’t care" bit, represented as X. TCAM entries can match any value in positions where the X is set. This makes TCAM ideal for routing tables, Access Control Lists (ACLs), and Quality of Service (QoS) policies, where you need to match a range of IP addresses or protocols with a single rule.

In a typical switch, the MAC address table resides in a BCAM. When a frame arrives, the switch extracts the destination MAC address, feeds it as input to the CAM, and the CAM returns the index of the matching entry. That index is then used to retrieve the corresponding forwarding port. The entire operation happens in hardware within nanoseconds, allowing the switch to forward frames at line rate even on 100 Gbps ports.

On routers, TCAM is used in the forwarding information base (FIB) to perform longest prefix match (LPM) for IP routing. The mask field in TCAM allows the router to store subnet masks as wildcards. For example, a route to 192.168.0.0/16 is stored with the last 16 bits masked as X. When a packet arrives, the router searches the TCAM with the destination IP address. Because TCAM returns the first matching entry from the lowest physical address, routes must be ordered from the most specific (longest prefix) to the least specific (default route) to ensure correct forwarding.

Power consumption and heat generation are significant trade-offs with CAM, because every comparison fires millions of transistors simultaneously. To manage this, network engineers sometimes limit the size of the CAM table or use algorithmic approaches like hash tables in software for less performance-critical lookups. Modern switches often combine CAM with other memory types: CAM for the fastest lookups, SRAM for temporary buffering, and DRAM for larger routing tables.

Protocols such as IEEE 802.1D (Spanning Tree Protocol) and 802.1Q (VLAN tagging) directly rely on the CAM table structure. When a switch learns a MAC address, it writes an entry into the CAM along with the VLAN ID and port. TCAM is also critical for implementing quality of service marking and policing at wire speed. Understanding how CAM works is essential for designing scalable network topologies and for troubleshooting issues like CAM table overflow attacks (MAC flooding) or suboptimal forwarding due to incorrect route ordering in TCAM.

Real-Life Example

Think of a large office building with hundreds of employees and a single, very fast receptionist at the front desk. The receptionist has a list of all employee names and their corresponding desk numbers, printed on a special board that lights up instantly when a name is scanned. When a package arrives for an employee, the delivery person reads the name out loud. Instead of scanning the list row by row to find the name, the receptionist’s scanning board compares the name against every entry on the list at the exact same moment. The moment the name is read, the correct desk number lights up immediately. That is exactly how CAM works.

In this analogy, the receptionist’s magic board is the CAM chip. The employee names are the MAC addresses or IP addresses stored in the table. The desk numbers are the switch ports or next-hop interfaces. The delivery person is the incoming data frame or packet. The spoken name is the search key. The board’s instant response is the CAM’s ability to return a match in one clock cycle.

Now imagine the building also has a second board for departments, where some departments allow visitors from any floor (wildcards). For example, the mailroom accepts packages from anyone, so its entry has a wildcard for the floor number. This second board is like TCAM: it can store entries that say “match any floor” in addition to specific matches. When a package arrives, the receptionist checks both boards. The most specific match (exact desk number) takes priority over a general match (any floor).

If the building holds 10,000 employees, the receptionist’s magic board must be very large and uses a lot of electricity to compare all names at once. That is the power trade-off of CAM. But the speed is unmatched. Without CAM, the receptionist would have to read the list from top to bottom, name by name. For a busy office receiving packages every second, that would cause a massive backlog. That backlog is exactly what happens when a switch cannot keep up with frame forwarding, leading to packet loss and network slowdowns.

Why This Term Matters

Content-addressable Memory matters because it enables network devices to operate at wire speed, the maximum data rate of the physical link. Without CAM, every frame or packet would require multiple memory accesses to find a forwarding decision, introducing latency and limiting throughput. In modern enterprise and data center networks where links run at 10, 40, 100, or even 400 Gbps, even a microsecond of lookup delay per frame can cause serious performance bottlenecks.

In cybersecurity, CAM plays a vital role in Access Control Lists. A firewall or router must compare every packet against a set of rules that could number in the thousands. Without TCAM, software-based rule matching would severely limit firewall throughput. TCAM allows the device to apply hundreds or thousands of rules in parallel, making deep packet inspection and stateful filtering possible at line rate. Misconfiguration of TCAM, such as placing a broad rule before a specific rule, can lead to security bypasses or unintended traffic dropping.

For network administrators, understanding CAM is essential for diagnosing issues like MAC address flooding attacks. In a MAC flooding attack, an attacker sends thousands of frames with fake source MAC addresses to fill up the CAM table on a switch. Once the CAM table is full, the switch enters a fail-open mode where it floods all unknown unicast traffic out every port, effectively turning the switch into a hub. An attacker can then sniff traffic that was not meant for them. Administrators must configure port security, MAC address limits, and dynamic ARP inspection to guard against CAM table overflow.

In cloud and virtualized environments, virtual switches like Open vSwitch also use CAM-like structures for MAC learning, but in software. While software CAM cannot match the speed of hardware CAM, the same principles apply: fast lookup is critical for performance. Network engineers designing large-scale SDN deployments must consider the CAM capacity of physical switches when planning flow table sizes.

Finally, Content-addressable Memory is a foundation technology that makes other networking concepts possible. VLAN tagging, spanning tree protocol, multicast group management, and policy-based routing all depend on the ability to look up a key instantly. Professionals who work with switching, routing, or security cannot fully understand how their devices forward traffic at high speed without appreciating the role of CAM.

How It Appears in Exam Questions

Exam questions on Content-addressable Memory typically fall into four categories: scenario-based, configuration, troubleshooting, and architecture comparison.

Scenario-based questions: The exam presents a description of a small office network where a switch is behaving unexpectedly. For example, a user reports that network traffic is suddenly slow, and tools show the switch is flooding traffic out of all ports. The question asks what is most likely the cause. The correct answer is a MAC flooding attack that has filled the CAM table, forcing the switch to flood all unknown unicast frames. Another scenario might describe a switch that has just been powered on and receives a frame. The candidate must explain that the switch will flood the frame until it learns the destination MAC and updates its CAM table.

Configuration questions: The CCNA may ask about configuring port security to limit the number of MAC addresses that can be learned on a port. The underlying reason is to protect the CAM table from being filled with fake MAC addresses. Another configuration question might involve configuring a static MAC address entry in the CAM table to ensure a particular device always receives traffic on a specific port.

Troubleshooting questions: The CompTIA Network+ exam might ask you to examine output from the show mac address-table command on a Cisco switch. The question could show a table with an entry that has the wrong port and ask why this is happening. The answer may involve a bridging loop causing the MAC address to flap between ports. In another troubleshooting scenario, a router is forwarding packets incorrectly, and the candidate must determine that the TCAM table has a more general route placed before a specific route, causing packets to take the wrong path.

Architecture and comparison questions: These tests ask about the difference between CAM and TCAM, or between CAM and RAM. A typical question says: “Which type of memory does a switch use to store MAC addresses?” The answer is CAM. Another question asks: “Which memory type supports wildcard matching for ACLs?” The answer is TCAM.

There are also conceptual questions about speed and cost. For instance, “Why does a switch use CAM instead of RAM for its MAC address table?” The correct answer is that CAM allows parallel searching in a single clock cycle, while RAM requires sequential address lookups.

Candidates should also be ready for scenario questions about switch forwarding behavior. For example, a switch receives a frame with a destination MAC that is already in the CAM table. The question asks what the switch does next. The answer is that it forwards the frame only out of the associated port (unicast forwarding). If the destination MAC is not in the table, the switch floods the frame. Understanding this logic is essential for both CCNA and Network+.

Finally, exam questions sometimes test the relationship between CAM and VLANs. A switch with multiple VLANs stores a separate CAM table for each VLAN, or a single CAM table with VLAN tags. A question might ask how a switch uses the VLAN ID along with the MAC address to make a forwarding decision. The correct answer involves combining the MAC address and VLAN ID as the search key in CAM.

Practise Content-addressable Memory Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company named TechFlow has a network with one core switch and 20 desktop computers. The switch has just been powered on after a power outage. The IT manager Mary notices that a computer named Sales-PC1 sends a broadcast frame to find the printer. The switch receives the broadcast and forwards it out of every port except the one that received it. At this point, the switch’s CAM table is empty.

A few seconds later, the printer replies with a frame addressed directly to Sales-PC1. The switch receives this return frame. It does not yet know where Sales-PC1 is located, so it floods the reply out of all ports except the one connected to the printer. Sales-PC1 receives the reply. The switch now observes the source MAC address of the printer and the port it came in on. It writes this information into its CAM table: the printer’s MAC address is now associated with port 5.

The next time Sales-PC1 sends a frame to the printer, the switch looks up the printer’s MAC in its CAM table. This time, it finds a match and forwards the frame only to port 5. The CAM table has been populated successfully, and the network operates efficiently.

This scenario shows how CAM is central to the switch learning process. Without CAM, the switch would have to broadcast every frame, wasting bandwidth and causing network congestion. The CAM table allows the switch to make precise, one-to-one forwarding decisions after the initial learning phase.

The same scenario can be used to explain a CAM table overflow attack. If an attacker on the network sends thousands of fake frames with random source MAC addresses, the CAM table fills up. Once full, the switch can no longer learn new MACs and reverts to flooding all frames, just like when it was first powered on. This creates a security risk because the attacker can capture traffic intended for other devices.

Common Mistakes

Thinking that CAM is the same as RAM and just stores data at addresses.

CAM is fundamentally different from RAM because RAM requires an address to retrieve data, while CAM takes data as input and returns the address where a match exists. They are opposite in operation.

Remember that CAM is content-addressable, meaning you search by the data itself. RAM is address-addressable, meaning you search by the storage location.

Believing that a switch uses CAM to store all network traffic temporarily, like a buffer.

CAM is used for lookup tables, not for buffering packets. Packet buffers are separate memory regions, usually SRAM or DRAM. CAM only stores forwarding information like MAC-to-port mappings.

Understand that CAM holds the MAC address table, not the actual packet data. The packets themselves are buffered elsewhere before being forwarded.

Assuming that the largest CAM table is always better because it can hold more MAC addresses.

Larger CAM tables consume more power and generate more heat. Many switches have a fixed CAM size, and exceeding it causes flooding. Larger is not automatically better; you need to match the CAM size to your network’s actual MAC address count.

Design your network so that the total number of active MAC addresses stays well below the CAM table capacity. Use port security and VLAN segmentation to limit MAC learning per port.

Confusing CAM with TCAM and thinking they are interchangeable.

BCAM can only store binary values (0 or 1). TCAM adds a third state (wildcard X) that matches either 0 or 1. TCAM is used for routing and ACLs where wildcard matching is needed; BCAM is for exact match lookups like MAC addresses.

Remember that TCAM is a superset of CAM. If you need to match a range of values (like an IP subnet), you need TCAM. For exact match lookups like MAC addresses, BCAM is sufficient.

Thinking that a switch always forwards based on CAM lookup, even for broadcast or multicast frames.

The CAM table is only used for unicast frames. Broadcast frames are always flooded (unless filtered). Multicast frames use a separate multicast group table that may also use CAM, but the behavior is different.

Know that CAM is primarily for unicast forwarding. Broadcast frames go everywhere. Multicast frames undergo a different lookup process involving IGMP snooping and multicast CAM entries.

Believing that CAM tables are permanent and never change.

CAM entries have an aging timer, typically 300 seconds (5 minutes) on Cisco switches. If a MAC address does not send traffic within that window, the entry is removed to free space for new learning.

Remember that CAM is dynamic. Static MAC entries can be configured manually, but by default entries age out. This is important for network changes like moving a device from one port to another.

Assuming that a switch with a full CAM table stops working entirely.

When the CAM table is full, the switch does not crash. Instead, it switches to fail-open mode: it floods all unknown unicast frames out of all ports, which can cause performance degradation and security risks, but the switch still forwards traffic.

Understand that a full CAM table leads to flooding, not a complete failure. Troubleshoot by checking the show mac address-table count command and looking for unauthorized MAC addresses.

Exam Trap — Don't Get Fooled

An exam question states that a switch uses CAM to store routing information like IP networks. The answer choices include “CAM stores routing tables” as a correct option. Remember that CAM (BCAM) stores exact-match entries like MAC addresses.

Routing tables require longest prefix match with wildcard entries, which is a job for TCAM, not regular CAM. If the question mentions IP routes or subnet masks, the answer is TCAM. Another trap is that some older questions state that the routing table is stored in CAM.

That is wrong on modern devices. Always match the memory type to the lookup type: exact match uses CAM, prefix match uses TCAM.

Commonly Confused With

Content-addressable MemoryvsTCAM (Ternary Content-addressable Memory)

CAM stores only exact binary values (0 or 1). TCAM stores binary values plus a wildcard state (X) that matches either 0 or 1. TCAM is used for routing tables and ACLs where you need to match ranges or subnets, while CAM is for exact match lookups like MAC addresses.

A switch port that forwards frames to MAC address AA:BB:CC:DD:EE:FF uses CAM. A router that forwards packets to 192.168.0.0/16 uses TCAM because the /16 mask is a wildcard for the last 16 bits.

Content-addressable MemoryvsRAM (Random Access Memory)

RAM requires an address to retrieve data. You provide a memory address, and RAM returns the data stored there. CAM does the opposite: you provide the data and CAM returns the address where it is stored. RAM is used for general storage and packet buffers; CAM is dedicated to lookup tables.

When your computer opens a program, it loads the instructions into RAM at specific addresses. When a switch wants to forward a frame, it gives the MAC address (data) to CAM and gets back the port number (address).

Content-addressable MemoryvsCAM Table (MAC Address Table)

The CAM table is the actual data structure stored inside the CAM memory on a switch. People sometimes say “CAM table” to refer to the MAC address table, but CAM is the hardware technology, while the table is the collection of entries. They are not synonyms, though the term is used loosely in the industry.

If you type show mac address-table on a Cisco switch, you see the MAC address table. That table is stored in CAM hardware. The CAM is the engine; the table is the content.

Content-addressable MemoryvsCPU Cache (L1/L2/L3)

CPU cache is a small, fast memory that stores copies of frequently accessed data from main memory to speed up processing. CAM is not a cache for general processing; it is a specialized search engine for networking lookups. CPU cache uses an address-based lookup, whereas CAM uses content-based lookup.

Your computer’s CPU cache stores recent calculations so the CPU does not have to go to RAM every time. A switch’s CAM stores MAC addresses so it does not have to search through a list in software.

Content-addressable MemoryvsAssociative Memory

Associative memory is a broader term for any memory that can be accessed by content. CAM is a specific hardware implementation of associative memory. In the context of networking, “content-addressable memory” and “associative memory” are often used interchangeably, but associative memory is the general concept, while CAM is the circuit-level implementation.

You could build a software-based associative memory using a hash table, but it would not be CAM. CAM is the hardware version that operates in parallel at nanosecond speed.

Step-by-Step Breakdown

1

Frame Arrival at Switch Port

A network frame arrives at one of the switch’s physical ports. The switch extracts the source MAC address and the destination MAC address from the frame header, along with the VLAN ID if applicable. This extraction happens at wire speed using dedicated hardware logic.

2

Source MAC Learning

The switch takes the source MAC address and the port it arrived on, plus the VLAN ID, as input to the CAM. It compares this input against all entries in the CAM table. If no match exists, the switch writes a new entry: source MAC, VLAN, and incoming port. This is called MAC learning. If the entry already exists but on a different port, the switch updates the CAM entry to reflect the new port. This prevents stale forwarding information.

3

Destination MAC Lookup in CAM

The switch now searches the CAM table using the destination MAC address and VLAN ID as the search key. The CAM hardware compares this key against all entries simultaneously. The comparison takes exactly one clock cycle regardless of the table size. The CAM returns the index of the matching entry, or a miss signal if no entry is found.

4

Forwarding Decision Based on CAM Result

If the CAM returns a match, the switch retrieves the associated port number from the entry. It then forwards the frame only out of that port. This is called unicast forwarding. If the CAM returns a miss (destination not found), the switch floods the frame out of all ports except the one that received it. Flooding ensures the frame reaches its destination even when the switch does not yet know the correct port.

5

Entry Aging and Removal

Every CAM entry has an aging timer, typically 300 seconds (configurable). The switch periodically checks each entry. If no frame with the same source MAC address arrives within the aging period, the entry is removed from the CAM table. This keeps the table current and prevents the switch from forwarding traffic to a port where the device is no longer connected. Static MAC entries can be configured with no aging.

6

Handling CAM Table Full Condition

When the CAM table reaches its maximum capacity, the switch cannot learn new MAC addresses. It enters a fail-open state where all unknown unicast frames (frames with destination MACs not in the table) are flooded out of all ports. This condition can be used by attackers in a MAC flooding attack. Network administrators monitor CAM utilization and configure port security to limit the number of MAC addresses per port.

Practical Mini-Lesson

Content-addressable Memory is not something you configure directly as a network professional, but you work with its effects every time you verify a switch’s MAC address table. In practice, you interact with CAM through commands like show mac address-table on Cisco devices or get mac-address-table on other vendors. When you issue this command, you see the MAC addresses, VLANs, and associated ports that the switch has learned and stored in CAM.

Understanding how CAM behaves helps you diagnose common network issues. For example, if a user moves their computer from one switch port to another, the switch will learn the MAC address on the new port and update the CAM entry. But if the user moves quickly, the aging timer may not have expired on the old port, and the switch could temporarily have the same MAC address on two ports. This situation, called MAC flapping, triggers a warning log message and can cause intermittent connectivity. You can resolve it by clearing the MAC address table manually with clear mac address-table dynamic.

From a security perspective, CAM is vulnerable to attack. A MAC flooding tool like macof sends thousands of frames with random source MAC addresses per second. This fills the CAM table on the target switch, forcing it into flooding mode. Once in flooding mode, the attacker can use a network sniffer to capture all unicast traffic on the network, including traffic to and from other hosts. Defenses include configuring port security to limit the number of MAC addresses per port, using dynamic ARP inspection, and implementing switchport port-security maximum 1 on access ports.

In larger networks, professionals must plan for CAM capacity. Different switch models have different CAM table sizes, ranging from 8,000 entries on small access switches to over 1 million entries on data center core switches. When designing a network, you should estimate the number of active MAC addresses that each switch will see. In a flat network, a core switch might learn every MAC address in the entire organization, which can exceed its table size. Using VLANs and Layer 3 routing at the distribution layer limits the number of MAC addresses any single switch must learn, because routing breaks the broadcast domain.

For CCNP-level work, you may need to configure TCAM regions. On Cisco switches, the system TCAM is divided into regions for IPv4 unicast routes, IPv6 routes, ACLs, QoS, and other features. You can adjust the size of each region with the command sdm prefer. For example, if your network runs many ACLs, you allocate more TCAM space to the ACL region. This is a configuration task that directly affects the performance and feature support of the switch.

Finally, CAM is also relevant to network monitoring. Tools like SNMP can read CAM table utilization OIDs to alert you when the table is approaching capacity. If you see CAM utilization above 80%, you should investigate whether there is a legitimate reason, such as a large network, or an attack in progress. Maintaining headroom in CAM capacity is a best practice to avoid the flooding state.

Memory Tip

Think of CAM as a “Reverse Rolodex.” A normal Rolodex (RAM) requires a name to give you a card. But CAM works backwards: you give the card and it instantly finds the name. For the exam, remember “CAM is for MAC, TCAM is for masks.”

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

What does CAM stand for in networking?

CAM stands for Content-addressable Memory. It is a specialized hardware memory used in network switches and routers to perform fast lookups by content rather than by address.

What is the difference between CAM and TCAM?

CAM (Binary CAM) stores only exact binary values, 0 or 1. TCAM (Ternary CAM) adds a third wildcard state that matches either 0 or 1. TCAM is used for routing tables and ACLs where prefix matching is needed, while CAM is used for exact MAC address lookups.

Can a switch operate without CAM?

In theory, a switch could use a software-based lookup table, but it would be extremely slow and could not operate at wire speed. CAM is essential for modern switches to forward frames at high speeds without introducing delay.

How does a switch handle a full CAM table?

When the CAM table is full, the switch cannot learn new MAC addresses. It enters a fail-open mode and floods all unknown unicast frames out of all ports, which can degrade performance and create security vulnerabilities.

What is CAM table aging and why does it matter?

CAM table aging is the process of removing entries that have not been used for a configurable period, typically 300 seconds. This keeps the table up to date and frees space for new learning. Without aging, stale entries would persist and cause forwarding errors.

Is CAM used in routers for IP routing?

Routers use TCAM, not regular CAM, for IP routing because TCAM supports longest prefix match with wildcard mask entries. CAM is not suitable for routing tables because it only supports exact match lookups.

How can I protect against MAC flooding attacks on switches?

You can protect against MAC flooding by configuring port security with a maximum MAC address limit per port, enabling dynamic ARP inspection, and using features like DHCP snooping. These measures prevent an attacker from filling the CAM table with fake MAC addresses.

What command shows the CAM table on a Cisco switch?

The command show mac address-table displays the MAC address table stored in CAM on a Cisco switch. You can also use show mac address-table count to see how many entries are in use and how much CAM space is available.

Summary

Content-addressable Memory is the high-speed lookup engine inside network switches and routers that enables wire-speed forwarding by comparing search data against all stored entries in a single clock cycle. Unlike regular RAM, which retrieves data based on a memory address, CAM works in reverse: you present the data and it returns the matching address. This technology is fundamental to how switches build and consult their MAC address tables, and it is extended in TCAM to handle wildcard matching for routing and ACLs.

For certification exams like the CCNA and CompTIA Network+, you must understand that CAM is used for exact match lookups (MAC addresses), while TCAM handles prefix matching. You should know the consequences of a full CAM table, including flooding and security risks, and be aware of commands like show mac address-table. From a practical standpoint, CAM capacity planning, MAC flapping, and defending against MAC flooding attacks are real-world skills that rely on understanding this memory type. By mastering the difference between CAM and TCAM, their roles in Layer 2 and Layer 3 forwarding, and the impact of CAM table limitations, you will be well-prepared for both exams and network administration tasks.