MAC Address, ARP, and DHCP Vulnerabilities
Mitigating the CAM table overflow attack

The CAM table-overflow attack can be mitigated by configuring port security on the switch . This option provides for either the specification of the MAC addresses on a particular switch port or the specification of the number of MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port, the switch can either block the offending MAC address or shut down the port.

Specifying MAC addresses on switch ports is far too unmanageable a solution for a production environment. Limiting the number of MAC addresses on a switch port is manageable. A more administratively scalable solution would be the implementation of dynamic port security at the switch. To implement dynamic port security, specify a maximum number of MAC addresses that will be learned as shown in Figure .

Port Security
Port security allows administrators to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or learned on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port shuts down permanently, shuts down for a specified period of time, or drops incoming packets from the insecure host. The behavior of the port depends on how it is configured to respond to a security violator. The default behavior is to shut down permanently.

Cisco recommends to configure the port security feature to issue a shutdown instead of dropping packets from insecure hosts through the restrict option. The restrict option may fail under the load of an attack and the port is disabled anyway.

To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access the port, perform the tasks shown in Figure .

Verify the Port Security Configuration
There are two ways to check the port security configuration:

switch#show port-security interface interface_id

This command displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.

switch#show port-security address

This command displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.


Web Links