Ahmed Eldeeb No Comments

This article is the 4th in Layer 2 security series. We will be discussing a very common layer 2 attack

which is MAC flooding and its TMtigation “Port Security MAC limiting”

If you didn’t read the previous 3 articles; DHCP snooping, Dynamic ARP Inspection, and IP Source

Guard; I recommend that you take a quick look at them just to get an overview on layer 2 security.

Background

One of the basic switching functions is to learn what MAC addresses are connected to which port.

The switch keeps monitoring ports for frames, collects source MAC addresses and stores them

along with their corresponding ports and VLANs in a table called the Content Addressable Memory

(CAM) table.

The whole purpose of CAM table is for the switch to identify which MAC address belongs to which

port; so that when it receives traffic it knows where exactly to send it.

Building CAM table process

 

mac flooding

Figure – 1 Building CAM Table

 

Let’s consider this scenario; Hosts A, and B are connected to the same switch and started communicating with each other

  • Host A sends traffic to a switch port; most probably this traffic will be an ARP request for Host B MAC.
  • Switch checks the frame’s source MAC address; builds an entry in CAM table for the host MAC, port, and VLAN.
  • Since ARP is a Broadcast; it will go to all switch ports.
  • Host B will receive the ARP request, and reply back with an ARP reply.
  • The switch will see the source MAC address of Host B in the ARP reply, and builds an entry for Host B in the CAM

 

Note: If the packets sent were not ARP packet and the switch does not know where the destination

host connected, it will flood the packet to all ports; the destination host will receive the packet and

will know that it’s destined to him because the destination MAC address matches its own MAC

address. Once the host starts replying, the switch will take its MAC address and build an entry in

CAM table.

 

Problem with CAM table

 

CAM table is a part of the switch memory, and it has limited capacity. Once the CAM is full the

switch can’t add more MAC addresses, and it will start flooding all packet with unknown

destinations to all ports and turning the expensive switch into a cheap hub.

 

MAC Flooding attack

 

An attacker can easily exploit this CAM table problem and takes down a switch or turn it into a hub

by flooding it with MAC addresses. He will start sending random frames with random MAC

addresses; and the switch will keep adding entries to CAM table until it’s full and can’t take any more.

There are two issues with this attack; first, the switch performance is degraded; second, now that

all packets are flooded to all ports, the attacker is able to capture these packets and analyze them.

 

Port Security

 

Port security is one of the most important layer 2 security techniques; if I were to choose one, I will

definitely go with port security; and that’s because MAC floods attacks are much easier to perform

than IP spoofing or MITM.

The way it works is that it limits the number of the MAC addresses allowed on the port based on

the organization requirements. For example, only PCs are connected to ports, MAC addresses will

be limited to one MAC; however, if there is an IP Phone connected to the same port; MAC

addresses will be limited to two.

 

Now, let’s assume we configured port security to limit MC addresses to one. The first MAC address

hits the port gets an entry in the CAM table; if the switch receives another MAC address on the

same port; it will perform a violation action; that could be drop, log, or shutdown the port.

 

Deployment Options

 

Port security provides many options to support organization requirements

  • Violation actions: Log; drop and log; shutdown port depending on the vendor
  • Sticky/Persistent MAC address: CAM table (like and type of RAM) loses all the data once switch is rebooted. If the requirement is for the switch to preserve MAC addresses after the reboot; use the sticky/persistent option and the switch will add the MAC addresses to the startup configuration.
  • Aging: Allows the port to automatically recover from a violation status.

 

Deployment considerations

  • It’s not recommended to configure port security on trunk ports between switches. Although it might be possible to configure port security on trunk port, and that’s for 2 reasons:
  1. Defining the number of MAC addresses can be tricky
  2. The other switch will be also configured with port security; hence, no point.
  • Disable port security if you are to configure the port for SPAN (Switch Port Analyzer), or add it to a port channel.

 

In our next article we will be discussing one of the most important and widely used layer 2 protocols; 802.1x.

Leave a Reply

Your email address will not be published.