Configuring Port Security to Prevent MAC Address Table Attack

To make forwarding decisions, switches store the MAC address associated with any interface it used to receive frames in the MAC Address table. Next time, when a frame destined to that MAC address comes in on the switch, the switch looks up the MAC address table and uses the interface associated with that MAC address to forward the traffic.

The MAC address associated with the interfaces of a network device can be changed manually. When these MAC addresses are changed and the same device is used to send a frame to a switch through the same switch interface, the new MAC address will be added to the MAC address table as well.

Although there are many reasons why the MAC address of a host device is changed, hackers exploit this to launch attacks on the network by constantly changing the MAC address of the host they are using to connect to the network, consequently overwhelming the capacity of the switch to store MAC address tables. Once the capacity of the switch is overwhelmed, it starts forwarding any traffic coming through such interfaces, and hackers would use such interfaces to capture unauthorized traffic from the network and consequently launch an attack.

To mitigate the above problem, port security needs to be configured on switch interfaces to allow a maximum number of MAC addresses associated with a switch interface. If this limit is violated, the interface will be shut down automatically.

In this post, I will show you how to configure port security on a switch to prevent MAC address table attacks.

Network Topology

The network topology we will be using for this demonstration is shown below. As you can see, it consist of a switch and hacker using Kali Linux to launch a MAC address table attack at the switch’s e0/1 interface. In this demonstration, we will configure port security on the switch’s e0/1 interface to secure the switch from the MAC address attack.

network topology for switch port security

How to configure a switch to prevent a Mac address table attack

Here are steps to configure a switch to mitigate MAC address table attacks.

Step 1: Shutdown all switch interfaces not in use

The first step to prevent a MAC address table attack is to shutdown all the interfaces of the switch that are not in use. You can do this by entering the interface and then using the shutdown command.

Step 2: Configure “port-security”  on  the switch

Enter the following commands on the switch to configure port security:.

SW(config)#interface ethernet 0/0
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security maximum 1
SW(config-if)#switchport port-security mac-address sticky
SW(config-if)#switchport port-security violation shutdown ("protect", Secure[2]--> "restrict", More secure[1]--> "shutdown")

Here’s a brief explanation of each above commands:

  1. switchport mode access: This command configures the switch interface to operate in access mode, meaning that it will only forward traffic to and from devices connected directly to that interface.
  2. switchport port-security: This command enables port security on the switch interface. Port security restricts the number of MAC addresses allowed to access the network through that interface.
  3. switchport port-security maximum 1: This command sets the maximum number of MAC addresses allowed on the switch interface to 1. Only one MAC address will be allowed to access the network through this interface.
  4. switchport port-security mac-address sticky: This command enables sticky MAC address learning on the switch interface. When enabled, the switch dynamically learns the MAC addresses of devices connected to the interface and adds them to the running configuration.
  5. switchport port-security violation shutdown: This command configures the switch interface to shut down if a violation of the port security settings occurs. Violations can happen when the maximum number of MAC addresses is exceeded or when unauthorized MAC addresses are detected.

Step 3: Display The Port-Security Details

SW#show port-security interface ethernet0/0

Port Security              : Enabled <--
Port Status                : Secure-up
Violation Mode             : Shutdown <--
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1 <--
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aabb.cc00.1a10:1
Security Violation Count   : 0

Step 4: Launch A demo Attack from The  Kali Linux

First check interface name of the Kali Linux

root@kali ~# ifconfig

Then enter the Command for Flooding MAC Address table (on Kali Linux)

root@kali ~# macof -i eth0

If a hacker attacks, Ethernet0/0 will be shut down.

SW#show ip interface brief


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top