Back to All Scenarios
PASSEDnetwork / mac_table_overflow
MAC Flood Attack on Access Switch
A compromised workstation is flooding the network with spoofed MAC addresses, overflowing the switch CAM table and causing unknown unicast flooding across all VLANs.
Pattern
MAC_TABLE_OVERFLOW
Severity
CRITICAL
Confidence
90%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | MAC_TABLE_OVERFLOW | MAC_TABLE_OVERFLOW | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 22 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
48-port access switch with 8K MAC table. Compromised workstation on port Gi0/15. No port security enabled. MAC flood rate: 10K MACs/sec.
Injected Error Messages (2)
mac address table full on Access-SW5 — CAM table overflow, unknown unicast flood detected across all VLANs, mac limit exceeded on port Gi0/15
mac table overflow causing unknown unicast flooding to database server, unexpected traffic volume spike, mac flood from 10.10.20.115
Neural Engine Root Cause Analysis
Access-SW5 is experiencing a CAM (Content Addressable Memory) table overflow where the MAC address table has reached capacity, specifically on port Gi0/15. This has triggered unknown unicast flooding across all VLANs as the switch can no longer learn new MAC addresses and must flood traffic to all ports. The SNMP monitoring failure is a secondary symptom as the switch is overwhelmed processing the flood traffic, causing network services to become unresponsive.
Remediation Plan
1. Immediately clear MAC address table on Access-SW5 to restore normal operation 2. Implement port security on Gi0/15 to prevent MAC flooding attacks 3. Configure MAC address aging timers to prevent stale entries 4. Investigate traffic source on port Gi0/15 for potential security threats or misconfigured devices 5. Monitor CAM table utilization and set alerts before reaching capacity 6. Verify SNMP service restoration after CAM table cleanup
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjco5j00blobqe0ctfuxko