Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Two switch, one MAC table

Two switch, one MAC table 8 years 9 months ago #24501

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I was wondering how exactly this works:

If I were to plug a regular old switch into the wall drop that connects to a Cisco 2950, how does it handle the MAC address table? Normally, I only have 1 PC per drop, but I added a switch and connected 3 PCs to it. How does the Cisco switch handle which PC is on which port? Call multiple MACs be on one physical port? Or does the most recent get into the table...

Thoughts?
The administrator has disabled public write access.

Re: Two switch, one MAC table 8 years 9 months ago #24507

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
skepticals,

Your thoughts are correct. The 2950 will create multiple entries for each MAC address it 'sees' behind the port that connects to the 'old switch'.

You might also be interested knowing that there's a neat feature called 'port security' which will help 'lock down' the number of MAC addresses allowed through a specific port. Here's a detailed analysis of the option the feature provides:

[code:1]
Switch# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
[/code:1]


Being more practical, here are a few more examples of the command:

switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 8-port hub connected to this switch port, you would want to allow 8 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132.

switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum allowed number. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Hope that helps!

Cheers
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: Two switch, one MAC table 8 years 9 months ago #24519

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum allowed number. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

Sorry skepticals, but I guess that brings another issue here, could an intruder forge frames with multiple source MAC addresses exceeding the 132 (or what ever) to force a violation and shutdown the port ?
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Two switch, one MAC table 8 years 9 months ago #24520

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Yes, that could be acheived to provide a sort of DoS attack.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Two switch, one MAC table 8 years 9 months ago #24522

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Chris,

Very interesting. I have heard of port security on the switches, but was unaware of the max MAC address limit. That is interesting. As others have pointed out, it could be used in a DoS attack too.

Would the Cisco switch list ALL the MAC addresses in the address table? Or just the most currently used one? I guess I could set this up and try it...
The administrator has disabled public write access.

Re: Two switch, one MAC table 8 years 9 months ago #24525

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Skepticals,

If you issue the command "show mac-address-table", you'll get all mac addresses the switch knows of, along with the corresponding destination port (in other words, behind which port the mac address is found).

Here's an example from my 2912XL here at home:

[code:1]
2912XL#show mac-address-table
Dynamic Address Count: 3
Secure Address Count: 0
Static Address (User-defined) Count: 0
System Self Address Count: 35
Total MAC addresses: 38
Maximum MAC addresses: 2048
Non-static Address Table:
Destination Address Address Type VLAN Destination Port

----
0017.a4eb.9b04 Dynamic 1 FastEthernet0/6
0018.f8f1.cff5 Dynamic 1 FastEthernet0/6
00a0.c9ab.0e8f Dynamic 1 FastEthernet0/1
2912XL#
[/code:1]

You can clearly see that the switch only supports 2048 mac addresses in its table and there are only 3 used at this point ( you wouldn't normally get more than 5 anyways! ).

I sometimes use this information when I'm trying to track down a specific host which my eyes have caught while performing an audit/examination at customers site. The packet sniffer shows me the mac address of the offending PC and if I can't located it based on its IP, then a simple "show mac-address-table" will reveal where its hidden!

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.
Time to create page: 0.087 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup