GCIH · Question #680
Alice is checking for unusual activity on the LAN that she administers. Based on the CAM table excerpt below, what port should be investigated further?
The correct answer is A. Gi1/1/3. A CAM table with multiple MAC addresses mapped to a single port indicates a MAC flooding attack or a rogue device acting as an aggregation point, making that port suspicious.
Question
Alice is checking for unusual activity on the LAN that she administers. Based on the CAM table excerpt below, what port should be investigated further?
Exhibit
Options
- AGi1/1/3
- BGi1/1/4
- CGi1/1/2
- DGi1/1/5
How the community answered
(42 responses)- A55% (23)
- B29% (12)
- C12% (5)
- D5% (2)
Why each option
A CAM table with multiple MAC addresses mapped to a single port indicates a MAC flooding attack or a rogue device acting as an aggregation point, making that port suspicious.
Port Gi1/1/3 shows multiple MAC addresses associated with it in the CAM table, which is a hallmark of a MAC flooding attack where an attacker overwhelms the switch's CAM table to force it into hub-like behavior. Legitimate end-user ports typically map to a single MAC address, so many MACs on one port warrants investigation for a rogue hub, unauthorized switch, or active MAC flooding tool.
Gi1/1/4 appears to have a normal, single MAC-to-port mapping consistent with a legitimate end device.
Gi1/1/2 shows a typical single-device association in the CAM table and does not exhibit anomalous behavior.
Gi1/1/5 also reflects a standard single MAC address mapping and presents no indicators of unusual activity.
Concept tested: CAM table flooding and MAC-based anomaly detection
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html
Topics
Community Discussion
No community discussion yet for this question.
