I-BLOG

When we speak about MAC flooding, almost everyone with Information Security insight knows about what it is. What do one achieve with MAC flooding? There are various ways of looking at it.

Take an enterprise class switch, and see the spec’s as to how many mac addresses can the switch store in its cache. It is very interesting to understand the already known fact (but less thought about), that a switch cannot learn mac address indefinitely, the simple reason is that it is impossible! A Cisco Catalyst 6500 switch can store ~130,000 mac cache entries. What would happen if all of them are filled up? The switch cannot store any more of newly learned MAC address thus stops to add it to the cache, which in turn floods traffic across all the ports if a traffic meant for that mac address comes in!

Such a massive switch, everyone obviously does VLAN on it. So in theory, a traffic in one VLAN is not seen by the other VLAN. However if we were to think about the lines above, if a MAC flooding happens in VLAN 1, hosts in VLAN 2 would be able to see all traffic in that VLAN 2 (in spite of having a 5 digit/6 digit valued switch). Reason ? Simple;

MAC Cache values defined in Switches are not VLAN specific, that is for the entire Switch Fabric. So if the MAC Cache Value is 10 entries, after 10 entries, broadcast flooding would happen in all other VLANs too for the newly learned MAC address.

Example;

Take a switch which can hold 10 MAC Cache Entries; There are 3 VLANS having 4 ports each in each VLAN, we call it VLAN1 VLAN2 VLAN3.

So from VLAN1, port 1, if we were to flood and fill all the 10 entries, Then the traffic flooding happens not only in VLAN1. Reason, if a new host comes on port 1 of VLAN 2, the switch cannot store the MAC address since the cache is full and is going to broadcast it, when a traffic for that MAC comes around.

Bottom line, if the mac cache is filled, everyone connected to the switch suffers and VLAN’s do not HELP! At that point; $50,000 SWITCH = $10 HUB

Of course the VLAN 2 doesn’t see anything from VLAN 1 however, every port in VLAN 2 sees everything that is happening in VLAN 2 (communication happening for all the 3 other ports).

That calls in for Layer-2 Security, for one aspect.

Well, Google for it and you can get N number of tools to do it, so I’m not going to write it down here.

How do you prevent it? MAC Security. Simple fact is to bind just 1 mac address per port. Well, it is easier said than done. In earlier switches, you have to manually do it. Now consider doing it for 348 ports? How much ever you pay, the guy ain’t gonna do it unless it is his head at stake

Good news is that, newer switches can dynamically learn one MAC address and then lock it down. Now if that happens, only the problems that arise due to change in port needs to be addressed. However with technology changes (think of IP Phone + Desktop plugged in 1 port), it kinda gets a bit ugly though! Some switches do offer to learn a limit of MAC addresses instead of just 1. All this comes with some cost obviously, the CPU load!