Difference between revisions of "MAC address flooding"

From Teknologisk videncenter
Jump to: navigation, search
 
m
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
= What is MAC address flooding =
 +
MAC address flooding is an attack where the attacker sends frames to the switch with random ''source MAC addresses'' and flooding the MAC-address table in the switch. The CAM - Content Addressable Memory - gets full, and frames from valid hosts are flooded out of all ports.
 +
 +
= Protecting against MAC Address flooding =
 +
Is done on a port basis.
 +
== Example ==
 +
Up to five MAC address are allowed on user ports.
 +
=== Port shutdown ===
 +
If you want the port to go in '''err-disabled''' if more than five MAC-addresses are seen on the port
 +
<source lang=cli>
 +
Switch(config)# interface range fastethernet 0/1 - 24
 +
Switch(config-if)switchport port-security maximum 5
 +
Switch(config-if)switchport port-security violation shutdown
 +
</source>
 +
 +
=== Allow legal traffic and discard rest. No logging ===
 +
If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you ''don't'' want to log the attempt to use more than five MAC-addresses, use:
 +
<source lang=cli>
 +
Switch(config)# interface range fastethernet 0/1 - 24
 +
Switch(config-if)switchport port-security maximum 5
 +
Switch(config-if)switchport port-security violation protect
 +
</source>
 +
=== Allow legal traffic and discard rest. SNMP trap logging ===
 +
If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you want to log the attempt to use more than five MAC-addresses. [[SNMP]] traps are sent, use:
 +
<source lang=cli>
 +
Switch(config)# interface range fastethernet 0/1 - 24
 +
Switch(config-if)switchport port-security maximum 5
 +
Switch(config-if)switchport port-security violation restrict
 +
</source>
 +
{{Source cli}}
 
[[Category:Cisco]][[Category:CCNA]][[Category:CCNP]][[Category:IOS]][[Category:Network]][[Category:CCNP3]]
 
[[Category:Cisco]][[Category:CCNA]][[Category:CCNP]][[Category:IOS]][[Category:Network]][[Category:CCNP3]]

Latest revision as of 13:04, 11 September 2012

What is MAC address flooding

MAC address flooding is an attack where the attacker sends frames to the switch with random source MAC addresses and flooding the MAC-address table in the switch. The CAM - Content Addressable Memory - gets full, and frames from valid hosts are flooded out of all ports.

Protecting against MAC Address flooding

Is done on a port basis.

Example

Up to five MAC address are allowed on user ports.

Port shutdown

If you want the port to go in err-disabled if more than five MAC-addresses are seen on the port

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation shutdown

Allow legal traffic and discard rest. No logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you don't want to log the attempt to use more than five MAC-addresses, use:

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation protect

Allow legal traffic and discard rest. SNMP trap logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you want to log the attempt to use more than five MAC-addresses. SNMP traps are sent, use:

Switch(config)# interface range fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation restrict