What happens if there is a system or user on a VLAN that is infected by malware or is deliberately running a scanning program? This can cause a massive amount of entries in the CAM Table of the switch. Think of the CAM table as the MAC address table. There is a certain limit of this memory that is switch platform dependent. If the attacking system floods a HUGE number of MAC addresses via different Layer 2 frames to the switch, the switch is going to “learn” as many of these as it can by putting them in the CAM table. This can therefore cause a table overflow! That overflow will then result two possible failure scenarios:
- The switch can no longer learn MAC addresses and therefore starts flooding traffic to other ports when it does not need to
- The switch slows down forwarding as the table is so large
Either way, the network can crash. Ouch.
A program that can perform this flooding of MACs is called “macof”. Macof is a member of the Dsniff toolset.
The way to look at the MAC address table on a switch is as follows:
CellSwitch# show mac address-table dynamic
This will output the MAC address table.
What if you want to see the MAC address count? Use the following command:
CellSwitch# show mac address-table count [vlan xxx]
Usually we only need 1 or two MAC addresses per interface on a switch, but with wodays networking becoming more complex (users having VMs – Virtual Machines), it may be necessary to allow 4 or 5 MACs on a switch port.
Here’s an example:
CellSwitch# config t
CellSwitch(config)# interface gig 0/2
CellSwitch(config-if)# switchport mode access
It should be noted here that switchport mode access defaults to allowing only 1 MAC address. Let’s extend that default, then to 6 MACs, so continuing our configuration:
CellSwitch(config-if)# switchport port-security
CellSwitch(config-if)# switchport port-security maximum 6
If we stopped here, because port security is enabled, if there are more than 6 MACs seen the switch will shut the port down! So this is very strict. Let’s be a little gentler by adding the following command that will allow only the first 6 MACs:
CellSwitch(config-if)# switchport port-security violation restrict
This restriction will send SNMP messages and Syslog messages but not shut down the port. OK, we can finish the config:
There are a couple of great show commands you can use:
- To see the port security configuration: ‘show port-security [port #]’
- To see the number of MAC addresses and what they are: ‘show port-security address’
We hope this helps you understand this feature and its usage.