Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
ovt Bronze
Bronze

Defeating mac flooding attacks on the distribution 6500 switch

Hi, guys.

1. Can anybody share personal experience about the following Cat 6500 commands:

IOS: mac-address-table limit

CatOS: set cam monitor

IOS: mac-address-table notification threshold

CatOS: set cam notification threshold

The problem is that it is not always feasible to protect the switching infrastructure against macof-like attacks on the access layer because of software limitations of low-end switches. For example, you cannot configure port security and PVLANs on the same port on 3560/3750 Cisco switches.

So, the idea is to defeat mac flooding attacks on the distribution layer. Is it possible with these commands?

2. Why is IOS documentation tells us that "flood" option of the "mac-address-table limit" command "enables unknown unicast flooding for the VLAN" whilst CLI tells us that it "disables flooding for this vlan"? What is the truth?

Thx.

1 REPLY
Community Member

Re: Defeating mac flooding attacks on the distribution 6500 swit

You will solve the problem by using port-security, specifying maximum mac address learned per switch port.

This will prevent scripts like mac-of from making your switch become a hub after filling the CAM table.

URL reference: http://cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080160a2c.html

448
Views
0
Helpful
1
Replies
CreatePlease to create content