We help IT Professionals succeed at work.

How to prevent MAC Flooding?

Hi Friends,

 
Iam studing ICND1 Book for CCNA there is an quiz question  see the attached pix.

First of my question is how can a switch forward a frame that is having same source and dest MAC address?

Second question is will port secuirty commands can prevent this MAC flooding? or we need somthing else to stop it
 
I would love to have  nice & "practical" answers for my two queries from you peeps :)

NOTE ( NO LINKS please)
 

Thanks
 Ashu
1.JPG
Comment
Watch Question

Commented:
ok for question one , it is a security related attack, basically , this attack consumes the small amount of memory the switch has to store mac adress info , with the ultimate agenda to force the switch into a mode unlike a hub ( all data down all ports )where packet sniffing software can be then used to grab sensitive info.

second question check out :-
sh mac-address-table unicast-flood
should give you some info on limiting or prevention

Author

Commented:
REN501

Thanks for replying but my

1 question is "HOW" can a switch forward a frame that is having same source and dest MAC address? can u tell me "HOW" its done?

2 sh mac-address-table unicast-flood this command is not there..in Packet tracer so cant test it!!
Commented:
well , how, the attack, would have to come from a machine directly accessable to the switch either hacked or expoited in someway is the most likely. Then all that needs to be done is to spoof the mac address and flood the switch with packets.

this will prolly explain the bit i'm missing out.

http://www.ciscozine.com/2009/01/05/protecting-against-mac-flooding-attack/

Top Expert 2010
Commented:
>First of my question is how can a switch forward a frame that is having same source and dest MAC address?

The switch is only doing what it was designed to do (When a Ethernet frame arrives at the ingress of a switchport, it would be read into a buffer, the destination address compared with an internal table of known MAC addresses (CAM/MAC Table) and a decision made as to whether to drop the frame or forward it to another switchport.); it does not care about the source MAC address for forwarding a frame, learning yes, but not forwarding. The Frame will egress out on Fa0/13; Also note, that a frame is never forwarded out the same port the frame was received on. Example, find some references that discuss cut-through switching (I would post a link but you specifically did not want any links posted). Essentially, in theory, cut-through switching allows the switch to start forwarding a frame before the whole frame has been received (How? As soon as the destination address is processed). This is still true today, by design, a frame is forwarded based on the destination address.

Hope this helps with your question number 1.

Author

Commented:
ty rfc1180 <--- i love urs name its concludes whole TCP/IP lol

what about second query :) ?
Top Expert 2010

Commented:
acl-puzz, Thanks! I believe the second query was already addressed by giving you a link; essentially, the whole point in MAC flooding is obviously to consume memory and cpu resources, the best and quick way to avoid this is only assign the MAC addresses that are supposed to be on the ports:

switchport port-security would be your solution to prevent the MAC Flooding

as indicated in the link that ReN501 gave you.

Good Luck
Billy