MAC Address Flooding
MAC Address flooding results in a switch‘s CAM table overflow, which causes flooding of regular data frames out all switch ports. This attack can be launched for the malicious purpose of collecting a broad sample of traffic or as a denial of service (DoS) attack.
A switch has a limited CAM table and can only contain a limited number of entries at one time. If for example an intruder at the beginning of a work day floods a switch with invalid MAC entries then until the invalid entries expire the switch will flood all frames out all ports. This has two negative effects:
- Switch traffic is inefficient and voluminous
- The attacker/intruder connected to a switch port and capture traffic that is not normally seen on that port.
Mitigation of this attack is to configure port-security and defining the number of MAC addresses allowed on a given port. Port security can also specify the MAC addresses allowed on a port.
This is a feature of Cisco Catalyst Switches, it is a security feature that restricts a switch port to a specific number of MAC addresses. These MAC addresses can be dynamically learned or statically configured. When configured the switch will only allow frames on those ports from the configured MAC addresses.
NB if you configure 4 MAC addresses and don’t specify them, the switch will learn 4 addresses dynamically. Those 4 will then be the MAC addresses allowed.
A feature (on some platforms) combine statically configured and dynamically learnt addresses. When configured an interface converts dynamically learnt addresses to “sticky secure” addresses. This adds those addresses to the config as if they were added by switchport port-security mac-address
Port Security – Configuration
Enable Port Security on the Switch:
switch#configure terminal
switch(config)#interface gigabitethernet 0/1
switch(config-if)#switchport port-security
Set the maximum number of MAC addresses that will be allowed on the port (default is one)
switch(config-if)#switchport port-security maximum value
Be sure to set this value to 2 when you have a Cisco IP Phone and a desktop attached to a switchport. I know I didn’t do this and it resulted in a port security violation. My bad.
Now Option 1 you can set whether the MAC address(es) learnt must be aged out after X time
switch(config-if)#switchport port-security aging 1-1024
Now optional 2 specify the MAC addresses that will be allowed on the port (this can also be dynamically learnt thats why its optional)
switch(config-if)#switchport port-security mac-address mad-address
switch(config-if)#switchport port-security mac-address mad-address
Finally set the action to be taken if something goes wrong (mac address attack)
switch(config-if)#switchport port-security violation {shutdown/restrict/protect}
Protect Mode drops the frame and leaves no syslog message, Restrict mode drops the frame and logs the drop + a SMTP trap is sent, and finally shutdown logs + SMTP traps + errdisables the interface (CAT OS, Cisco IOS).
Port security has a feature called “sticky MAC address” that can limit switch port access to a single, specific MAC address without the network administrator having to gather MAC addresses of every legitimate device and manually associate it with a particular switch port (This cannot be used where Voice VLANs are in use).
switch(config-if)#switchport port-security mac-address sticky
Last but not least lets check port-security:
switch(config)#show port-security
Authentication, authorization and accounting (AAA) network security services provide a framework through which acess control is set up on a network. Authentication is the way a user is identified before being allowed access to the network and network services. AAA authentication is configured by defining a list of named authentication methods and then applying that list to various interfaces. The list defined the type of authentication (enable password, Kerberos 5, Kerberos 5-Telnet Authentication, Line Password, Local database, Local database with case sensitive, No Authentication, RADIUS, TACACS+) to be performed and the sequence in which they will be performed.
The only exception is the “default” list. The default list is automatically applied to all interfaces if no other method/list is defined. A defined method/list overrides the default list.
802.1x
IEEE 802.1x defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. Until a workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port. After authentication normal traffic can pass through.
With 802.1x port-based authentication, the devices in the network have specific port roles:
Client: the end-device that requests access to the LAN and switch. The end-device must be running 802.1x compliant software. (the port the end-device (client) is attached to is the supplicant)
Authentication server: performs the actual authentication. The server authenticates the identity of the client and lets the switch know whether to let the end-device access the LAN. As the switch is acting as a proxy the authentication service is transparent to the end-device. The RADIUS security system with Extensible Authentication Protocol (EAP) is the only supported authentication server.
Switch (authenticator): controls physical access onto the network. Acts as an intermediary (proxy service) between client and authentication server. The switch uses a RADIUS software agent responsible for encapsulating and decapsulating EAP frames and interacting with the authentication server.
802.1x Configure
Enable AAA
switch#configure terminal
switch(config)#aaa new-model
You Radius Server Location
switch(config)#radius-server host 000.000.000.000auth-port port key auth-key
Create a 802.1x port-based authentication method list
switch(config)#aaa authentication dot1x default group radius
Globally configure 802.1x port-based autnetication
switch(config)#dot1q system-auth-control
OR enter enable 802.1x on an interface
switch(config)#interface gigabitethernet 0/1
switch(config-if)#dot1x port-control auto
Definition
Content Addressable Memory (CAM)is a specialized type of memory think of it as the opposite of Random Access Memory (RAM). With RAM an Operating Sysem (OS) provides an address, and receives the data stored at the supplied address. With CAM, the OS supplies the data, and the CAM returns a list of addresses where the data is stored, if any. Also a CAM searches the entire memory in one operation therefore is faster than RAM.
Binary CAMssearch only for 1 and 0′s (ON or OFF). A MAC address table in switches commonly get stored inside binary CAMs (sometimes even called a CAM Table).
A Ternary CAM (TCAM)allows the OS to match a third state, “X.” The “X” state is a “mask” and could be anything. Routers can store their entire routing table in these TCAMs, allowing for very quick lookups.
Notes and Notices:
This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.