Safe Switch

A switch port is the entryway into a network. Depending on network size, there may be thousands of access ports or more distributed across a campus or building. Imagine thousands of doors all over your house: Do you have enough security to prevent unauthorized people from entering?

MAC Address Table

If someone wants to launch an attack through an unsecured port, a switch's Media Access Control (MAC) address table is a good choice. A successful attack to the MAC address table can change the network traffic destination, compromise data confidentiality, and even make the network unavailable, all in a very short time. In this article, I explain how a switch uses the MAC address table, introduce some common methods for attacking the MAC address table and finish up with a security solution to protect a switch from attack.

Layer 2 Switch Operation

A switch provides Data Link Layer (or Layer 2) connectivity on an Ethernet network. Devices transmit data frames based on a unique 48-bit MAC address (Figure 1). The data frame contains a destination address and the sender's source address. When the switch receives the data frame, it looks for the destination address in its MAC address table and forwards the frame to the port specified with the destination address. In some situations, if the switch cannot find a valid record for the destination MAC address, it will send the data frame to all ports except the originating port. This type of broadcast delivery is not a good practice because it wastes bandwidth, and anyone on the same network segment could receive the data frame and exploit the data to gain information for an intrusion attempt.

Figure 1: PC1 sends out a data frame with the destination address ABCD.EF00.0004. The switch receives it at port 1 and then searches the destination address in its MAC address table. The destination is found, and the data frame is sent out through port 8.

When a network contains two or more switches, each switch maintains its own MAC address table. Each table also stores the MAC address of the neighboring switch's interface, because switches exchange data for control plane purposes, such as loop prevention, multicast control, and VLAN management (Figure 2).

Figure 2: Switches also store the MAC address of the neighbor's switch (blue text) in order to exchange control data frames.

MAC Address Learning

Because manual entry is inefficient, typing the records one by one into the configuration file is seldom done. By default, when a switch receives a data frame, it reads the frame's source address and stores it in the MAC address table, along with a reference to the port that received the frame. This process is called MAC address learning. When the switch is booted up in the very beginning, it has no records in the MAC address table, so the switch will do its delivery job by broadcast. As traffic begins to arrive from different ports, the switch learns MAC addresses. The number of MAC address table records grows, and eventually the frame will start delivering data directly, rather than by broadcast.

A typical aging time for a MAC record is 300 seconds; if a switch does not receive any data frames from a source for 300 seconds, it assumes that the MAC address owner is no longer attached to the network, and the record is cleared.