Mac address table overflow attack

Mac address table overflow attack (mac address flood):-

A MAC Overflow attack relies on flooding the switch with many invalid source MAC addresses until the table is full. When the attack causes the switch act as a hub, the threat actor can monitor traffic passing through it.

The Mitigation:-

Port security:

- Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.

- Limits the number of MAC addresses to be learned on an access switch port.

- Port security controls how many MAC addresses can be learned on a single switch port.

The violation: -

When the number of secure MAC addresses reaches the limit allowed on the port:

1. protect: -packets with unknown source addresses are dropped. You are not notified that a security violation has occurred.
2. restrict: - packets with unknown source addresses are dropped. you are notified that a security violation has occurred. The counter increases by one.
3. shutdown: - packets with unknown source addresses are dropped. you are notified that a security violation has occurred. The counter increases by one. The interface dropped in error-disable state.
4. shutdown per VLAN: - only the VLAN on which the violation occurred is error-disabled.

The configuration: -

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 2

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# switchport port-security aging time 120

Note:-

port security can't be set on the dynamic mode.