CAM table overflows typically are an attack of the past, however that does not mean that we should forget about them. After all once a vulnerability has been found we cannot assume that future devices won't be vulnerable to this threat. In short, CAM table overflows are the idea of an attacker flooding a switch's MAC address table with bogus addresses, thus leading the switch to enter into a flood 'all traffic on all ports' state. This can create a DOS or allow the attacker to sniff traffic.
The best solution to this vulnerability is Port Security and the configuration is quiet simple, all you need is a Cisco switch. Below we will walk through setting up port security on 24 ports to allow a maximum of 2 MAC addresses, to save already existing MAC addresses, and to shutdown the port if this violation occurs. Default configuration: Please note that be default Port Security is set to memorize only one MAC address and shutdown the port if this violation occurs. moses-switch> enable moses-switch# configure terminal moses-switch(config)# ! grouping the range of ports, from 1 to 24 moses-switch(config)# int range gigabitEthernet0/1-24 moses-switch(config-if-range)# ! setting all of the ports to be access mode moses-switch(config-if-range)# switchport mode access moses-switch(config-if-range) # ! setting the maximum number of mac addresses allowed moses-switch(config-if-range)# switchport port-security maximum 2 moses-switch(config-if-range) # ! saving the already existing MAC addresses for port security moses-switch(config-if-range)# switchport port-security mac-address sticky moses-switch(config-if-range)# ! setting the ports to shutdown if more than two MAC addresses is received moses-switch(config-if-range)# switchport port-security violation shutdown moses-switch(config-if-range)# ! Lastly starting up the service itself moses-switch(config-if-range)# switchport port-security Now please note that you can enable port security on a trunk, however regardless of the port it must be static, meaning that the switchport cannot be set to dynamic. In addition, please note that while this example is shutting down the the port, in an enterprise environment it might be best to restrict or protect the port instead and set up an SNMP trap to alert an administrator of a potential problem. Also please note that this is just the tip of the iceberg, as port security can even rate limit and limit the number of MAC addresses saved for a VLAN.
1 Comment
|