This article is the 4th in Layer 2 security series. We will be discussing a very common layer 2 attack
which is MAC flooding and its TMtigation “Port Security MAC limiting”
Guard; I recommend that you take a quick look at them just to get an overview on layer 2 security.
One of the basic switching functions is to learn what MAC addresses are connected to which port.
The switch keeps monitoring ports for frames, collects source MAC addresses and stores them
along with their corresponding ports and VLANs in a table called the Content Addressable Memory
The whole purpose of CAM table is for the switch to identify which MAC address belongs to which
port; so that when it receives traffic it knows where exactly to send it.
Building CAM table process
Figure – 1 Building CAM Table
Let’s consider this scenario; Hosts A, and B are connected to the same switch and started communicating with each other
- Host A sends traffic to a switch port; most probably this traffic will be an ARP request for Host B MAC.
- Switch checks the frame’s source MAC address; builds an entry in CAM table for the host MAC, port, and VLAN.
- Since ARP is a Broadcast; it will go to all switch ports.
- Host B will receive the ARP request, and reply back with an ARP reply.
- The switch will see the source MAC address of Host B in the ARP reply, and builds an entry for Host B in the CAM
Note: If the packets sent were not ARP packet and the switch does not know where the destination
host connected, it will flood the packet to all ports; the destination host will receive the packet and
will know that it’s destined to him because the destination MAC address matches its own MAC
address. Once the host starts replying, the switch will take its MAC address and build an entry in
Problem with CAM table
CAM table is a part of the switch memory, and it has limited capacity. Once the CAM is full the
switch can’t add more MAC addresses, and it will start flooding all packet with unknown
destinations to all ports and turning the expensive switch into a cheap hub.
MAC Flooding attack
An attacker can easily exploit this CAM table problem and takes down a switch or turn it into a hub
by flooding it with MAC addresses. He will start sending random frames with random MAC
addresses; and the switch will keep adding entries to CAM table until it’s full and can’t take any more.
There are two issues with this attack; first, the switch performance is degraded; second, now that
all packets are flooded to all ports, the attacker is able to capture these packets and analyze them.
Port security is one of the most important layer 2 security techniques; if I were to choose one, I will
definitely go with port security; and that’s because MAC floods attacks are much easier to perform
The way it works is that it limits the number of the MAC addresses allowed on the port based on
the organization requirements. For example, only PCs are connected to ports, MAC addresses will
be limited to one MAC; however, if there is an IP Phone connected to the same port; MAC
addresses will be limited to two.
Now, let’s assume we configured port security to limit MC addresses to one. The first MAC address
hits the port gets an entry in the CAM table; if the switch receives another MAC address on the
same port; it will perform a violation action; that could be drop, log, or shutdown the port.
Port security provides many options to support organization requirements
- Violation actions: Log; drop and log; shutdown port depending on the vendor
- Sticky/Persistent MAC address: CAM table (like and type of RAM) loses all the data once switch is rebooted. If the requirement is for the switch to preserve MAC addresses after the reboot; use the sticky/persistent option and the switch will add the MAC addresses to the startup configuration.
- Aging: Allows the port to automatically recover from a violation status.
- It’s not recommended to configure port security on trunk ports between switches. Although it might be possible to configure port security on trunk port, and that’s for 2 reasons:
- Defining the number of MAC addresses can be tricky
- The other switch will be also configured with port security; hence, no point.
- Disable port security if you are to configure the port for SPAN (Switch Port Analyzer), or add it to a port channel.
In our next article we will be discussing one of the most important and widely used layer 2 protocols; 802.1x.