Mitigating CAM Table Overflow Attacks

You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways:

• Static secure MAC addresses A switch port may be manually configured with the specific MAC address of the device that connects to it.

• Dynamic secure MAC addresses The maximum number of MAC addresses that will be learned on a single switch port is specified. These MAC addresses are dynamically learned, stored only in the address table, and removed when the switch restarts.

• Sticky secure MAC addresses The maximum number of MAC addresses on a given port may be dynamically learned or manually configured. The manual configuration is not a recommended method because of the high administrative overhead. The sticky addresses will be stored in the address table and added to the running configuration. If the addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.

The type of action taken when a port security violation occurs falls into the following three categories:

• Protect If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a number of MAC addresses are removed or the number of allowable addresses is increased. You receive no notification of the security violation in this type of instance.

• Restrict If the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until some number of secure MAC addresses are removed or the maximum allowable addresses is increased. In this mode, a security notification is sent to the Simple Network Management Protocol (SNMP) server (if configured) and a syslog message is logged. The violation counter is also incremented.

• Shutdown If a port security violation occurs, the interface changes to error-disabled and the LED is turned off. It sends an SNMP trap, logs to a syslog message, and increments the violation counter.

0 0

Post a comment