Lead Image © Taffi, Fotolia.com

Lead Image © Taffi, Fotolia.com

Understanding Layer 2 switch port security

Safe Switch

Article from ADMIN 42/2017
What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it might be time to think about implementing some switch port security.

A switch port is the entryway into a network. Depending on network size, there may be thousands of access ports or more distributed across a campus or building. Imagine thousands of doors all over your house: Do you have enough security to prevent unauthorized people from entering?

MAC Address Table

If someone wants to launch an attack through an unsecured port, a switch's Media Access Control (MAC) address table is a good choice. A successful attack to the MAC address table can change the network traffic destination, compromise data confidentiality, and even make the network unavailable, all in a very short time. In this article, I explain how a switch uses the MAC address table, introduce some common methods for attacking the MAC address table and finish up with a security solution to protect a switch from attack.

Layer 2 Switch Operation

A switch provides Data Link Layer (or Layer 2) connectivity on an Ethernet network. Devices transmit data frames based on a unique 48-bit MAC address (Figure 1). The data frame contains a destination address and the sender's source address. When the switch receives the data frame, it looks for the destination address in its MAC address table and forwards the frame to the port specified with the destination address. In some situations, if the switch cannot find a valid record for the destination MAC address, it will send the data frame to all ports except the originating port. This type of broadcast delivery is not a good practice because it wastes bandwidth, and anyone on the same network segment could receive the data frame and exploit the data to gain information for an intrusion attempt.

Figure 1: PC1 sends out a data frame with the destination address ABCD.EF00.0004. The switch receives it at port 1 and then searches the destination address in its MAC address table. The destination is found, and the data frame is sent out through port 8.

When a network contains two or more switches, each switch maintains its own MAC address table. Each table also stores the MAC address of the neighboring switch's interface, because switches exchange data for control plane purposes, such as loop prevention, multicast control, and VLAN management (Figure 2).

Figure 2: Switches also store the MAC address of the neighbor's switch (blue text) in order to exchange control data frames.

MAC Address Learning

Because manual entry is inefficient, typing the records one by one into the configuration file is seldom done. By default, when a switch receives a data frame, it reads the frame's source address and stores it in the MAC address table, along with a reference to the port that received the frame. This process is called MAC address learning. When the switch is booted up in the very beginning, it has no records in the MAC address table, so the switch will do its delivery job by broadcast. As traffic begins to arrive from different ports, the switch learns MAC addresses. The number of MAC address table records grows, and eventually the frame will start delivering data directly, rather than by broadcast.

A typical aging time for a MAC record is 300 seconds; if a switch does not receive any data frames from a source for 300 seconds, it assumes that the MAC address owner is no longer attached to the network, and the record is cleared.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Detecting and analyzing man-in-the-middle attacks
    Wireshark and a combination of tools comprehensively analyze your security architecture.
  • Spanning Tree Protocol
    Ethernet is so popular because it simply works and is inexpensive. However, the administration side looks a bit more complicated: For the network to run smoothly, the admin might need to make important decisions about the Spanning Tree protocol.
  • Segmenting networks with VLANs
    Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.
  • Network overlay with VXLAN
    VXLAN addresses the need for overlay networks within virtualized data centers accommodating multiple tenants.
  • DDoS protection in the cloud
    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.
comments powered by Disqus