Shulou(Shulou.com)06/01 Report--

MAC layer * *-MAC address flooding

The common layer 2 * * or switch * is MAC flooding, and * * users use a large number of invalid source MAC addresses, which will cause the CAM table of the switch to overflow. Because the switch cannot find the port corresponding to the destination MAC address in the MAC address table, the switch periodically floods data frames to all other ports, and the switch will not receive new legitimate entries, which will affect the transmission speed of all users in the network.

* * users can flood through MAC to achieve DOS***, or they may get data packets from the whole network.

The capacity of the CAM table varies depending on the switch model. The commonly used Catalyst access layer switch is 8192, which can be viewed with the following command.

Switch # show mac-address-table count

The aging time of the MAC address is 300 seconds by default, which can be viewed with the following command

Switch # show mac-address-table aging-time

* steps

1. * * users send multiple packets with different source MAC addresses.

2. In a short period of time, the CAM table of the switch is filled up and new entries can no longer be accepted. The behavior of * needs to be continuous, otherwise the CAM table will be emptied when the MAC address is aged.

3. The switch begins to flood all packets it receives to all ports. Therefore, it is possible for a * to obtain all packets in the network on any port.

Defensive measures

Limit a specific MAC address or the number of MAC addresses on the switch port. You can let the switch learn automatically, or you can configure the MAC address manually.

Step 1: enable port security. Note that dynamic ports cannot be set. You need to set the port mode to Access.

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch (config) # int fa0/1

Switch (config-if) # switchport mode access

Switch (config-if) # switchport port-security

Step 2: set the maximum number of MAC addresses allowed to be accessed by the interface to 4, default to 1

Switch (config-if) # switchport port-security maximum 4

Step 3: specify the specific MAC address that the interface is allowed to access, and the configuration is optional. If not specified, the switch port will automatically learn any four MAC addresses and serve only these four MAC addresses.

Switch (config-if) # switchport port-security mac-address H.H.H

Step 4: age the secure address statically configured on the port. When port security is enabled on a switch port, by default, the MAC address learned by the port does not age out.

Switch (config-if) # switchport port-security aging static

Step 5: when a disallowed MAC address attempts to access, define the behavior that the interface takes.

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

Protect protection: data frames sent from unauthorized addresses are discarded, but log messages are not created for this violation.

Restrict restriction: discard data frames from unauthorized addresses, create log messages, and send SNMP Trap messages.

Shutdown off: this is the default mode. After the switch receives a data frame from an unauthorized address from a port, it sets the port to the err-disabled state, logs and sends SNMP Trap messages, and the administrator must manually open or use the errdisable recovery feature to re-enable the port.

Check port security configuration

Administrators can use the command "Show port-security" to see which ports have port security features enabled.

Add the Interface parameter to view the output information of a specific API:

You can also use the address variable parameter to view the security information of the MAC address table. Note: there is no information on the remaining time (Remaining Age) item, because by default, the MAC address learned by the port does not age out when port security is enabled on the switch port. This item will be displayed only after the expiration time has been configured for the interface. The related command is: switchport port-security aging time 300.

You can use the following command to view the MAC address information for the port's current connection:

Port security using sticky MAC addresses

The port security we mentioned earlier can alleviate MAC address spoofing by limiting the number of MAC addresses to be set per switch port. However, this does not specify a specific MAC address.

The most stringent port security implementation is to allow access to only specified MAC addresses on each port. Of course, this will bring a lot of access problems, and the workload of administrators also needs to be considered. But the sticky MAC address feature can solve this problem very well.

When using sticky MAC addresses, the switch port automatically learns MAC addresses, which not only restricts the switch port to accept only a single specific MAC address, but also eliminates the need for the administrator to collect the MAC addresses of all legitimate devices and then manually associate them to the switch port, effectively reducing the workload of the administrator.

Command: Switch (config-if) # switchport port-security mac-address sticky

Principle: when using a sticky MAC address, the switch port automatically learns the MAC address, then remembers the MAC address and stores it in the running configuration (Running configuration) as a static entry, and treats this MAC address as the only MAC address that the port security feature allows access. If the switch is re-enabled, the MAC address needs to be relearned.

Note:

1. The interface translates all dynamic secure MAC addresses into sticky secure MAC addresses, including addresses learned dynamically before the sticky learning feature is enabled.

2. The rendezvous machine adds a sticky secure MAC address to the running configuration and will not add it to the startup configuration unless the administrator copies the running configuration to the startup configuration. If it is stored in the startup configuration, there is no need to relearn the MAC address after reswitching the switch.

3. This command cannot be used for voice VLAN interface.

As shown in the following figure, the Type entry has changed from "SecureDynamic" to "SecureSticky".

As shown in the following figure, the MAC address learned by the switch port is stored in the running configuration as a static entry.

Block unicast flooding on necessary ports

By default, if the switch does not know the destination MAC address of the received packet, it floods all ports in the VLAN to which the receiving port belongs.

However, some ports do not need to be flooded. If the port is manually configured with a MAC address, or on a port where port security is enabled, a secure MAC address is configured or enough MAC addresses have been learned. So as to reduce unnecessary traffic.

It can restrict both unicast flooding of unknown destination MAC addresses and multicast flooding of unknown destination MAC addresses.

Syntax:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.