MAC Address, ARP, and DHCP Vulnerabilities
MAC spoofing – man in the middle attacks

MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the targeted host to the network attacker. By sending a single frame with the source MAC address of the targeted host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the targeted host to the network attacker. The targeted host will not receive any traffic until it sends traffic. When the targeted host sends out traffic, the CAM table entry is rewritten once more so that it associates the MAC address back to the original port.

Figure shows how MAC spoofing works. In the beginning the switch has learned that Host A is on port 1, Host B is on port 2, and Host C is on port 3. Host B sends out a packet identifying itself with the IP address of Host B but with MAC address of Host A. This traffic causes the switch to move the location of Host A in its CAM table from port 1 to port 2. Traffic from Host C destined to Host A is now visible to Host B.