Manualshelf

Technical Manual

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3560E-12SD-E Switch
12345678910
Cisco Catalyst 3550 Series Switches
Cisco Catalyst 3560 Series Switches
Cisco Catalyst 3560−E Series Switches
Cisco Catalyst 3750−E Series Switches
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
Similar to routers, both Layer 2 and Layer 3 switches have their own sets of network security requirements.
Switches are susceptible to many of the same Layer 3 attacks as routers. However, switches and Layer 2 of
the OSI reference model in general, are subject to network attacks in different ways. These include:
Content Addressable Memory (CAM) Table Overflow
Content Addressable Memory (CAM) tables are limited in size. If enough entries are entered into the
CAM table before other entries are expired, the CAM table fills up to the point that no new entries can
be accepted. Typically, a network intruder floods the switch with a large number of invalid source
Media Access Control (MAC) addresses until the CAM table fills up. When that occurs, the switch
floods all ports with incoming traffic because it cannot find the port number for a particular MAC
address in the CAM table. The switch, in essence, acts like a hub. If the intruder does not maintain the
flood of invalid−source MAC addresses, the switch eventually times out older MAC address entries
from the CAM table and begins to act like a switch again. CAM table overflow only floods traffic
within the local VLAN so the intruder only sees traffic within the local VLAN to which he or she is
connected.
The CAM table overflow attack can be mitigated by configuring port security on the switch. This
option provides for either the specification of the MAC addresses on a particular switch port or the
specification of the number of MAC addresses that can be learned by a switch port. When an invalid
MAC address is detected on the port, the switch can either block the offending MAC address or shut
down the port. The specification of MAC addresses on switch ports is far too unmanageable a
solution for a production environment. A limit of the number of MAC addresses on a switch port is
manageable. A more administratively scalable solution is the implementation of dynamic port security
at the switch. In order to implement dynamic port security, specify a maximum number of MAC
addresses that will be learned.
Media Access Control (MAC) Address Spoofing
Media Access Control (MAC) spoofing attacks involve the use of a known MAC address of another
host to attempt to make the target switch forward frames destined for the remote host to the network
attacker. When a single frame is sent with the source Ethernet address of the other host, the network
attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to
the network attacker. Until the host sends traffic, it does not receive any traffic. When the host sends
out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.
Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability
to specify the MAC address of the system connected to a particular port. This also provides the ability
to specify an action to take if a port security violation occurs.
Address Resolution Protocol (ARP) Spoofing
ARP is used to map IP addressing to MAC addresses in a local area network segment where hosts of
the same subnet reside. Normally, a host sends out a broadcast ARP request to find the MAC address