Given this scenario, what do people see as the best solution:
You have a network of servers which are available for direct customer access. Servers get compromised and either manually or via a script assign all IPs within the subnet to their machine. They then flood the switches MAC address tables which effectively breaks connectivity for the users legitimately using those IP addresses.
I don't see how you can prevent this using switchport-security max MAC addresses as they're using a single MAC address but are assigning a large number of IPs to a single MAC address.
what happened in your network is classic case,
the attacket start saturating your swicth mac table by rondom mac-addresses using tools available on the internet after that the switch mac is full to its limit, at that moment the switch is no longer a switch, it becomes a hub hence it will flood packet to all its port, tha atacker start a t that moment sniffing the packet , so he /she learned the ip addreses using within your network , and he /she spoof them by assinging them to him or her and attack the the PC or server that have those addtresses so that they cannot connect ,so that he/she can appers legitimate so he can do whatever he/she want .this is DOS denial of service.
to mitigate those threats start limitting the number of mac addresses that can be learned from any port on your switch to just one 1 or assign them staticaly.
under interface mode :
switchport port-security maximum x
pls do rate the post if it does help
I may be misunderstanding the situation, but there's only one MAC address at play but they're assigning large number of IP addresses to it - will port-security max MAC addresses help here?
you said that there is a lot of ip addresses mapped to the same layer2 mac address,
that means that every packets sent to those ip addresses will be redirected to that mac addresse since ARP will resolve all those ip addresses to the same mac-address, so if that mac-address is real all those packets will be forwarded to that PC with this mac, so that lead to the fact that this PC will gather all the packets and he will replay them to find what in there ? may be a credit card number!!!
so the switchport command discussed will prohibits the attacket to reach that stage of the attack !!!
you need to prepare a security policy and implement it !!
for example RFC 2829 will be protect you from spoofing and that is great and a big steps toward a safe network!!
So the maximum number of IPs => MAC addresses stored in the MAC address table per interface is limited by the 'switchport port-security maximum' command?
I can't see how that would work - surely it would only be a limitation on the ARP table which would do what we require?
not quite agree , the command limit the number of mac-addresse learned from a given interface. not the number of ip addresses!!
if you specify one, not more than one can appear from that port , and the port go the errdisable state.
question : do you have a layer one device a hub connected to your switch??????
No there is no hub. Also I don't tnink this is a MAC address flooding issue as there is only one MAC address. Let me try to explain it in more detail:
The setup is a 6509 in the core with a number of 3550 and 3560 access switches. VLANs/subnets are /22 which I know is larger than they should be.
Servers are allocated up to a /28. I need a method of enforcing the maximum number of IP addresses that can be tied to one MAC address. Currently there's nothing to stop a compromised or misconfigured server from assigning the entire /22.
This is where I'm a bit unsure - it would strike me that what I require is a limitation on the number of ARP entries per MAC address rather than entries in the MAC address table - because surely there will only be 1 entry in the MAC address table no matter how many layer 3 addresses are in use?
With a /28 for your servers, could you not put static ARP entry in for each of the servers in to one of your layer three switchs? You would only need to do it on subnets that the "public" facing servers were on. It wouldn't prevent a server from flooding the arp table but it might help to ensure that addresses of valid devices are still available.
port security is step 1, limit the number of MAC addresses per port
enable dhcp snooping as step 2; three reasons for this: blocking rogue DHCP servers, limiting DHCP packet rates to prevent scope starvation, and create a binding table that the switch can use for
ARP inspection should be enabled (but only after creating manual bindings for dhcp snooping if using static addresses!) to prevent ARP spoofing attacks
IP Source Guard should be enabled (again, have the bindings built beforehand, or any non-dhcp hosts will have all traffic blocked) to prevent IP spoofing
With these features enabled, the attack you describe wouldn't have any effect. See this link for more info: