MAC address flooding

From Teknologisk videncenter
Jump to: navigation, search

What is MAC address flooding

MAC address flooding is an attack where the attacker sends frames to the switch with random source MAC addresses and flooding the MAC-address table in the switch. The CAM - Content Addressable Memory - gets full, and frames from valid hosts are flooded out of all ports.

Protecting against MAC Address flooding

Is done on a port basis.

Example

Up to five MAC address are allowed on user ports.

Port shutdown

If you want the port to go in err-disabled if more than five MAC-addresses are seen on the port 

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation shutdown

Allow legal traffic and discard rest. No logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you don't want to log the attempt to use more than five MAC-addresses, use: 

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation protect

Allow legal traffic and discard rest. SNMP trap logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you want to log the attempt to use more than five MAC-addresses. SNMP traps are sent, use: 

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation restrict
Retrieved from "http://mars.merhot.dk/w/index.php?title=MAC_address_flooding&oldid=23580"