CEH

228 Chapter 9 ■ Sniffers

Mitigating MAC Flooding

You can mitigate the CAM table-overflow attack by configuring port security on the

switch. This will allow MAC addresses to be specified on a particular switchport, or you

can specify the maximum number of MAC addresses that the switchport can learn.

Cisco IOS Mitigation

Listing 9.1 shows a sample of configuration options on the Cisco IOS.

Listing 9.1: Configruation of a Cisco device

switch(config-if)# switchport mode access

!Set the interface mode as access!

switch(config-if)# switchport port-security

!Enable port-security on the interface!

switch(config-if)# switchport port-security mac-address { <mac_addr> |

sticky }

!Enable port security on the MAC address as H.H.H or record the first MAC

address connected to the interface!

switch(config-if)# switchport port-security maximum <max_addresses>

!Set maximum number of MAC addresses on the port!

switch(config-if)# switchport port-security violation { protect | restrict

| shutdown }

!Protect, Restrict, or Shutdown the port.

Cisco recommends the shutdown option.

Juniper Mitigation

Listing 9.2 shows configuration options for Juniper.

Listing 9.2: Configuration Options for Juniper

root@switch# set interface { <interface> | all } mac-limit <limit> action {

none | drop | log | shutdown }

# Set the maximum number of MAC addresses allowed to connect to the

interface