Revision as of 06:34, 9 May 2009

What is MAC address flooding

MAC address flooding is an attack where the attacker sends frames to the switch with random source MAC addresses and flooding the MAC-address table in the switch. The CAM - Content Addressable Memory - gets full, and frames from valid hosts are flooded out of all ports.

Protecting against MAC Address flooding

Is done on a port basis.

Example

Up to five MAC address are allowed on user ports.

Port shutdown

If you want the port to go in err-disabled if more than five MAC-addresses are seen on the port

Switch(config)# interface fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation shutdown

Allow legal traffic and discard rest. No logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you don't want to log the attempt to use more than five MAC-addresses, use:

Switch(config)# interface fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation protect

Allow legal traffic and discard rest. SNMP trap logging

If you want the port continue forwarding traffic from five MAC-addresses and discard remaining traffic and you want to log the attempt to use more than five MAC-addresses. SNMP traps are sent, use:

Switch(config)# interface fastethernet 0/1 - 24
Switch(config-if)switchport port-security maximum 5
Switch(config-if)switchport port-security violation restrict

</pre>