Imagine your network switch is a diligent postal worker who memorizes every mailbox location to deliver letters efficiently. Now imagine a malicious actor sending letters to every possible address, forcing the postal worker to shout every delivery to the entire neighborhood. That's MAC flooding in a nutshell. For the CCNA 200-301 exam (Objective 5.2), understanding MAC flooding and its defense mechanisms is crucial because it directly tests your knowledge of Layer 2 security threats and mitigations. In real networks, a successful MAC flooding attack can turn a switch into a hub, allowing attackers to sniff traffic they shouldn't see. This chapter will equip you with the technical depth to not only pass the exam but also protect real-world networks.
Jump to a section
Think of a switch's MAC address table as a mailroom clerk's memory of which employee sits at which desk. The clerk has a limited number of slots in their memory—say, 8,192. Normally, when a letter arrives for 'Alice,' the clerk checks their list, finds 'Alice = Desk 7,' and delivers it directly to Desk 7, ignoring all other desks. This is efficient and private. Now, an attacker named Mallory starts sending thousands of letters, each with a different fake sender name, like 'Bob1,' 'Bob2,' up to 'Bob10000.' Each fake sender forces the clerk to allocate a memory slot: 'Bob1 = Desk 2,' 'Bob2 = Desk 3,' etc. Soon, the clerk's memory fills up completely. Now when a legitimate letter arrives for 'Alice,' the clerk's memory is full, so they have no idea where Desk 7 is. To avoid losing the letter, they have to shout, 'Hey, is there an Alice here?' and deliver it to every desk in the office. This is exactly what happens in a MAC flooding attack: the switch's CAM table overflows, and the switch falls back to flooding all unknown unicast frames out all ports, effectively behaving like a hub. The attacker, sitting at Desk 5, can now see every letter that was meant to be private. The defense is like giving the clerk a rule: 'If your memory is full, do not shout; instead, drop new letters until space frees up.' That's port security's MAC address limiting in action.
What is MAC Flooding and Why Does It Exist?
MAC flooding is a Layer 2 attack where an attacker sends a large number of Ethernet frames, each with a unique source MAC address, to a switch. The switch's Content Addressable Memory (CAM) table, which maps MAC addresses to switch ports, has a finite size—typically 8,192 entries on Cisco Catalyst 2960 switches. By sending thousands of frames with different source MAC addresses, the attacker forces the switch to learn each new address, filling the CAM table. Once the table is full, the switch can no longer learn new addresses. For any frame destined to an unknown unicast address (one not in the CAM table), the switch must flood the frame out all ports except the incoming port. This behavior is standard for switches when the destination MAC is unknown. The attack exploits this by ensuring that legitimate unknown unicast frames (which would normally be learned after a single frame) are also flooded, allowing the attacker to receive frames intended for other hosts. The attacker typically connects to a single port and sends frames with varying source MACs, often using a tool like macof. The goal is to sniff traffic that should be isolated to specific switch ports.
How MAC Flooding Works Step by Step
Initial State: Switch A has an empty CAM table. Hosts Alice (port 1), Bob (port 2), and Mallory (port 3) are connected.
Normal Operation: Alice sends a frame to Bob. Switch learns Alice's MAC on port 1. Since Bob's MAC is unknown, the switch floods the frame out all ports except port 1. Bob receives it and responds. Switch learns Bob's MAC on port 2. Future frames from Alice to Bob are forwarded directly to port 2.
Attack Initiation: Mallory (attacker) on port 3 sends a frame with source MAC 'X1' to a broadcast address. Switch learns X1 on port 3. Mallory then sends frames with source MACs X2, X3, X4... each to a broadcast or unicast address. For each new source MAC, the switch adds an entry in the CAM table pointing to port 3.
CAM Overflow: After sending enough frames (e.g., 8,193 unique source MACs), the CAM table is full. The switch may either drop new learning or, more commonly, continue learning by evicting old entries. But in many switches, once full, the switch stops learning and enters a fail-open mode where all unknown unicast frames are flooded.
Exploitation: Now Alice sends a frame to Bob. Bob's MAC is still in the CAM table (if not aged out), but if the attacker targeted Bob's MAC as one of the flood entries, or if the aging timer expired, Bob's MAC may be unknown. The switch floods the frame out all ports, including port 3. Mallory captures the frame, compromising confidentiality.
Key States, Timers, and Defaults
CAM Table Size: Typically 8,192 entries on Catalyst 2960; varies by platform.
Aging Timer: Default 300 seconds (5 minutes) for dynamic MAC entries. After this period of inactivity, the entry is removed. Attackers may send frames faster than the aging timer to keep entries alive.
Port Security: A defense feature that limits the number of MAC addresses learned on a port. Default: disabled. When enabled, default maximum is 1 MAC address per port.
Violation Modes: protect (drops unknown frames but does not log), restrict (drops and logs), shutdown (error-disables the port – default).
Sticky MAC: Allows dynamically learned MACs to be saved to running config, making them static-like.
Interaction with Related Protocols
STP: MAC flooding does not directly affect STP, but an attacker could also send BPDUs to manipulate root bridge election. Port security can also limit BPDU flooding.
VLANs: Each VLAN has its own CAM table. Flooding in one VLAN does not affect others. However, if the attacker is in the same VLAN as the target, the attack works.
DHCP Snooping: Can prevent MAC spoofing by validating DHCP messages. MAC flooding often uses random MACs, which may be detected by DHCP snooping if the attacker also uses DHCP.
Dynamic ARP Inspection (DAI): Relies on DHCP snooping binding table. MAC flooding can be used in conjunction with ARP spoofing.
IOS CLI Verification Commands with Example Output
To check CAM table size and current usage:
Switch# show mac address-table count
MAC Entries for all VLANs:
Dynamic Unicast Address Count: 45
Static Unicast Address Count: 10
Total Unicast MAC Addresses In Use: 55
Total Unicast MAC Addresses Available: 8192To view the CAM table:
Switch# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0050.7966.6800 DYNAMIC Gi0/1
1 0050.7966.6801 DYNAMIC Gi0/2To verify port security configuration:
Switch# show port-security interface gigabitethernet 0/1
Port Security : Enabled
Port Status : SecureUp
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0050.7966.6800:1
Security Violation Count : 0Common Misconfigurations
Setting maximum MAC too high: If you set maximum to 100, an attacker can learn 100 MACs on that port, still enabling some level of flooding. Best practice: set to expected number of devices (e.g., 1 for access port, 2 for phone+PC).
Using protect mode without alerting: protect mode silently drops excess frames; you may not know an attack is happening. Use restrict or shutdown for visibility.
Not configuring port security on all access ports: Many candidates only configure it on ports facing end users, but trunk ports can also be attacked if not protected.
Advanced Defense: MAC Address Notification and Limit
Cisco also offers MAC address notification (snmp-server enable traps mac-notification) to alert when MACs are learned, but the primary defense is port security. For exam purposes, focus on port security as the main mitigation.
Enable port security globally
Port security is configured per interface, but you must first ensure the switch supports it (all modern Catalyst switches do). There is no global command to enable port security across all interfaces; you enable it per interface. However, you can configure a global default for violation mode using the 'errdisable recovery cause psecure-violation' command to automatically recover ports after a violation. For the exam, remember that port security is configured at interface level.
Enter interface configuration mode
Use the 'interface' command to select the port you want to secure. For example: 'interface gigabitethernet 0/1'. This puts you in interface configuration mode. Ensure the interface is a switchport (access or trunk). Port security can be configured on both access and trunk ports, but on trunk ports you may need to specify allowed VLANs.
Enable port security on the interface
Use the command 'switchport port-security' to enable the feature. Without this command, no other port-security commands take effect. This enables the default behavior: maximum MAC addresses = 1, violation mode = shutdown. The port will immediately learn the first source MAC address and consider it secure. Any frame with a different source MAC will trigger a violation.
Set maximum number of secure MAC addresses
Use 'switchport port-security maximum <value>' to change the default of 1. For a single PC, 1 is fine. For a phone+PC setup, set to 2 (one for phone, one for PC). For a small workgroup, set to a reasonable number like 5. Setting too high defeats the purpose of port security. Exam tip: default is 1, but you must explicitly enable port security first.
Configure violation mode
Use 'switchport port-security violation {protect | restrict | shutdown}'. 'shutdown' is the default and error-disables the port. 'restrict' drops packets and increments a counter (and can send SNMP trap). 'protect' drops packets silently. For exam, know that 'shutdown' disables the port until manually re-enabled or errdisable recovery is configured. 'restrict' is recommended for visibility.
Configure sticky MAC addresses (optional)
Use 'switchport port-security mac-address sticky' to convert dynamically learned MACs to sticky entries that are saved in running config. This ensures that if the switch reboots, the same MACs are still allowed. You can also manually configure a specific MAC using 'switchport port-security mac-address <mac>'. Sticky is useful for preventing MAC spoofing.
Verify and test the configuration
Use 'show port-security interface <interface>' to verify settings. Use 'show port-security address' to see all secure MAC addresses. To test, connect a device with a different MAC and observe the violation. If violation mode is shutdown, the port will go down. Use 'show interfaces status' to see if the port is err-disabled. Then use 'shutdown' followed by 'no shutdown' to recover, or configure errdisable recovery.
In a typical enterprise campus network, MAC flooding defense is deployed on all access ports connecting to end-user devices. For example, a university with thousands of dormitory rooms configures port security on each wall jack. The network engineer sets maximum MAC addresses to 2 (to allow a laptop and a VoIP phone) and violation mode to shutdown. This prevents a student from connecting a rogue switch and launching a MAC flooding attack. In the data center, port security is often used on server-facing ports to prevent ARP spoofing and MAC flooding, but with higher maximums (e.g., 10) to accommodate virtual machines.
Another scenario: a retail store with POS terminals. Each terminal has a fixed MAC address. The engineer uses sticky MAC addresses to learn the POS MAC and then saves the config. If someone tries to replace the POS device with a laptop, the port shuts down immediately. This also prevents MAC flooding from a compromised device.
Performance considerations: Port security has minimal CPU impact because it checks the source MAC against a small list per port. However, if you configure thousands of ports with high maximums, the CAM table may fill faster, but the per-port limit prevents CAM overflow.
Misconfiguration example: An engineer sets maximum MAC to 100 on an access port thinking it's harmless. An attacker can still flood 100 unique MACs per port, and across many ports, could fill the CAM table. Best practice is to set the minimum necessary. Another common mistake: forgetting to enable port security on uplinks or trunk ports. While trunk ports typically have many MACs, you can still configure a maximum (e.g., 100) to prevent flooding from a downstream switch that might be compromised.
Exam Objective 5.2: 'Describe security program elements' includes user awareness, training, physical access control, and specifically 'MAC flooding attack and mitigation.' The exam expects you to know: (1) MAC flooding fills the CAM table causing the switch to flood unknown unicast frames. (2) Port security is the primary mitigation. (3) The three violation modes and their behaviors. (4) Default maximum MAC addresses (1) and that port security must be explicitly enabled. (5) Sticky MAC addresses and their use.
Common wrong answers: - 'MAC flooding attacks are prevented by VLANs.' VLANs isolate broadcast domains but do not prevent CAM overflow within a VLAN. Wrong because the attack works within a single VLAN. - 'MAC flooding is a Layer 3 attack.' Wrong; it's Layer 2 because it exploits MAC learning. - 'Port security violation modes: protect, restrict, shutdown – protect is the most secure.' Actually, protect silently drops, which may hide an attack. Shutdown is the most secure because it disables the port. - 'Sticky MAC addresses are static.' They are dynamically learned but saved as static-like entries in running config. They are not truly static because they are learned dynamically first.
Specific values to memorize: default CAM table size 8192 (varies, but common number on 2960). Default port security maximum is 1. Default violation mode is shutdown. Aging time default 300 seconds.
Scenario question strategy: If a question describes a switch sending frames to all ports when it shouldn't, suspect MAC flooding. The mitigation will involve port security with a low maximum. If the question asks which violation mode should be used to alert but not disable the port, choose restrict (not protect, because protect doesn't alert; not shutdown because it disables).
MAC flooding fills the CAM table, causing the switch to flood unknown unicast frames like a hub.
Port security limits the number of MAC addresses per port; default maximum is 1.
Violation modes: protect (drop silently), restrict (drop and log), shutdown (error-disable port – default).
Sticky MAC addresses are dynamically learned but saved in running config; they survive reloads if config is saved.
Default CAM table size on Catalyst 2960 is 8192 entries; each VLAN has its own CAM table.
Port security must be explicitly enabled with 'switchport port-security'.
Errdisable recovery can automatically bring a port back after a shutdown violation using 'errdisable recovery cause psecure-violation'.
These come up on the exam all the time. Here's how to tell them apart.
Port Security
Defense mechanism that limits MAC addresses per port
Drops or shuts down port on violation
Configured per interface
Prevents CAM table overflow
Default max MACs = 1
MAC Flooding Attack
Attack that sends many source MACs to fill CAM table
Causes flooding of unknown unicast frames
Launched from a single port
Exploits default switch behavior
Requires thousands of unique MACs
Mistake
MAC flooding attacks can be prevented by using VLANs to isolate traffic.
Correct
VLANs isolate broadcast domains but do not prevent CAM table overflow within a VLAN. The attack works within a single VLAN.
Candidates often confuse Layer 2 isolation with security; VLANs limit broadcast scope but not MAC learning attacks.
Mistake
Port security's default violation mode is 'restrict'.
Correct
The default violation mode is 'shutdown', which error-disables the port.
Many candidates assume the default is the less disruptive mode, but Cisco chose shutdown for security.
Mistake
Sticky MAC addresses are static and must be manually configured.
Correct
Sticky MAC addresses are dynamically learned by the switch and then saved to the running configuration as if they were static.
The term 'sticky' implies persistence but not manual entry; candidates think it's like a static MAC.
Mistake
Port security can only be configured on access ports, not trunk ports.
Correct
Port security can be configured on both access and trunk ports, though on trunk ports you may need to specify VLANs.
Trunk ports carry multiple VLANs, but port security can still limit MACs per VLAN or overall.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default is 1 MAC address per port. However, port security is disabled by default. You must first enable it with 'switchport port-security'. Once enabled, the port will learn the first source MAC and consider it secure. Any additional MAC will trigger a violation (default shutdown). For exam, remember that the default maximum is 1, but only after enabling port security.
You can manually recover by entering interface configuration mode for that port and issuing 'shutdown' followed by 'no shutdown'. Alternatively, you can configure automatic recovery using 'errdisable recovery cause psecure-violation' globally, which will bring the port back after a default interval of 300 seconds (configurable with 'errdisable recovery interval <seconds>').
Yes, port security can be configured on trunk ports. However, you must specify the VLANs for which MAC addresses are allowed using 'switchport port-security vlan <vlan-list>'. If not specified, the default is to apply to the native VLAN. On trunk ports, the maximum MAC addresses count applies per VLAN, not per port overall, unless you use the 'maximum' command with the 'vlan' keyword.
Static MAC addresses are manually configured using 'switchport port-security mac-address <mac>' and are always present in the running config. Sticky MAC addresses are dynamically learned from traffic and then converted to sticky entries using 'switchport port-security mac-address sticky'. They are saved in running config but can be removed by clearing the sticky learning. Both survive a reload if the config is saved.
Port security mitigates MAC flooding by limiting the number of MAC addresses per port, preventing an attacker from filling the CAM table from a single port. However, if an attacker spreads the attack across multiple ports (e.g., by compromising multiple devices), port security on each port limits the contribution, but the cumulative effect could still fill the CAM table if many ports have high maximums. Best practice is to set low maximums and use other features like DHCP snooping.
The default aging time is 300 seconds (5 minutes). This means that if no frame with that source MAC is seen for 5 minutes, the entry is removed. This helps free up space, but an attacker can keep sending frames to refresh the aging timer. Port security's maximum limit prevents the attacker from adding too many entries in the first place.
Use the command 'show port-security interface <interface>'. The output shows 'Total MAC Addresses' which is the number of secure MAC addresses currently learned. You can also use 'show port-security address' to list all secure MAC addresses across all ports.
You've just covered MAC Flooding Defense — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?