Monitor Size of the CAM Table on a Cisco Switch

Do you have a sense of the size and frequency of the flooded packets - or a particular VLAN, for that matter? One common phenomenon is unicast flooding due to the mismatch of CAM and ARP timers. If CAM ages out but the corresponding ARP entry is still there then the switch will flood these frames. I've seen circumstances where this has resulted in literally gigabits of traffic showing up places it wasn't supposed to. There have also been circumstances where this correlated with CEF also losing entries - which then manifests as CPU issues on many platforms.

As far as pulling the address count via SNMP - check out this page: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a9b.shtml . It's slightly painful, but the mechanism is to pull the list of VLAN's and then to pull a list of CAM table addresses per VLAN and count accordingly. On the plus side it will give you a clue about where to look if there is actually a sudden proliferation of addresses somewhere.

You could also simply call "sh mac address-table count" either via ssh or a periodic EEM script that would then transmit the result back via e-mail, syslog, trap, etc.. This is dependent on the hardware platform and code rev, though.