The CAM table-overflow attack can be mitigated by configuring port
security on the switch
. This option
provides for either the specification of the MAC addresses on a particular
switch port or the specification of the number of MAC addresses that can be
learned by a switch port. When an invalid MAC address is detected on the port,
the switch can either block the offending MAC address or shut down the port.
Specifying MAC addresses on switch ports is far too unmanageable a
solution for a production environment. Limiting the number of MAC addresses on
a switch port is manageable. A more administratively scalable solution would be
the implementation of dynamic port security at the switch. To implement dynamic
port security, specify a maximum number of MAC addresses that will be learned
as shown in Figure
.
Port Security
Port security allows administrators to specify MAC
addresses for each port or to permit a limited number of MAC addresses. When a
secure port receives a packet, the source MAC address of the packet is compared
to the list of secure source addresses that were manually configured or learned
on the port. If a MAC address of a device attached to the port differs from the
list of secure addresses, the port shuts down permanently, shuts down for a
specified period of time, or drops incoming packets from the insecure host. The
behavior of the port depends on how it is configured to respond to a security
violator. The default behavior is to shut down permanently.
Cisco
recommends to configure the port security feature to issue a
shutdown instead of dropping packets from insecure hosts
through the restrict option. The
restrict option may fail under the load of an attack and
the port is disabled anyway.
To restrict traffic through a port by
limiting and identifying MAC addresses of the stations allowed to access the
port, perform the tasks shown in Figure
.
Verify
the Port Security Configuration
There are two ways to check the port
security configuration:
switch#show port-security
interface interface_id
This command
displays port security settings for the switch or for the specified interface,
including the maximum allowed number of secure MAC addresses for each
interface, the number of secure MAC addresses on the interface, the number of
security violations that have occurred, and the violation mode.
switch#show port-security
address
This command displays port security
settings for the switch or for the specified interface, including the maximum
allowed number of secure MAC addresses for each interface, the number of secure
MAC addresses on the interface, the number of security violations that have
occurred, and the violation mode.