Skip to main content

Two switch, one MAC table

More
16 years 11 months ago #24501 by skepticals
I was wondering how exactly this works:

If I were to plug a regular old switch into the wall drop that connects to a Cisco 2950, how does it handle the MAC address table? Normally, I only have 1 PC per drop, but I added a switch and connected 3 PCs to it. How does the Cisco switch handle which PC is on which port? Call multiple MACs be on one physical port? Or does the most recent get into the table...

Thoughts?
More
16 years 11 months ago #24507 by Chris
Replied by Chris on topic Re: Two switch, one MAC table
skepticals,

Your thoughts are correct. The 2950 will create multiple entries for each MAC address it 'sees' behind the port that connects to the 'old switch'.

You might also be interested knowing that there's a neat feature called 'port security' which will help 'lock down' the number of MAC addresses allowed through a specific port. Here's a detailed analysis of the option the feature provides:

[code:1]
Switch# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
[/code:1]


Being more practical, here are a few more examples of the command:

switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 8-port hub connected to this switch port, you would want to allow 8 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.

switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum allowed number. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Hope that helps!

Cheers

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
16 years 11 months ago #24519 by S0lo
Replied by S0lo on topic Re: Two switch, one MAC table

switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum allowed number. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).


Sorry skepticals, but I guess that brings another issue here, could an intruder forge frames with multiple source MAC addresses exceeding the 132 (or what ever) to force a violation and shutdown the port ?

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
16 years 11 months ago #24520 by Smurf
Replied by Smurf on topic Re: Two switch, one MAC table
Yes, that could be acheived to provide a sort of DoS attack.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 11 months ago #24522 by skepticals
Chris,

Very interesting. I have heard of port security on the switches, but was unaware of the max MAC address limit. That is interesting. As others have pointed out, it could be used in a DoS attack too.

Would the Cisco switch list ALL the MAC addresses in the address table? Or just the most currently used one? I guess I could set this up and try it...
More
16 years 11 months ago #24525 by Chris
Replied by Chris on topic Re: Two switch, one MAC table
Skepticals,

If you issue the command "show mac-address-table", you'll get all mac addresses the switch knows of, along with the corresponding destination port (in other words, behind which port the mac address is found).

Here's an example from my 2912XL here at home:

[code:1]
2912XL#show mac-address-table
Dynamic Address Count: 3
Secure Address Count: 0
Static Address (User-defined) Count: 0
System Self Address Count: 35
Total MAC addresses: 38
Maximum MAC addresses: 2048
Non-static Address Table:
Destination Address Address Type VLAN Destination Port

----
0017.a4eb.9b04 Dynamic 1 FastEthernet0/6
0018.f8f1.cff5 Dynamic 1 FastEthernet0/6
00a0.c9ab.0e8f Dynamic 1 FastEthernet0/1
2912XL#
[/code:1]

You can clearly see that the switch only supports 2048 mac addresses in its table and there are only 3 used at this point ( you wouldn't normally get more than 5 anyways! ).

I sometimes use this information when I'm trying to track down a specific host which my eyes have caught while performing an audit/examination at customers site. The packet sniffer shows me the mac address of the offending PC and if I can't located it based on its IP, then a simple "show mac-address-table" will reveal where its hidden!

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.133 seconds