Switches operate at Layer 2, using MAC addresses to forward frames only to the intended port. When the hardware tables that map MACs to ports are overwhelmed or manipulated, the switch degrades into a hub, broadcasting all traffic.
The Content Addressable Memory (CAM) table has a finite size. By generating thousands of fake MAC addresses, an attacker fills the table. The switch enters 'fail-open' mode, flooding traffic to all ports, enabling sniffing.
💡 Pro-tip: Port Security limits the number of MAC addresses allowed on a single switch port. Once the limit is reached, the port shuts down or drops unauthorized frames.
# Cisco IOS Port Security Configuration
switchport port-security maximum 2
switchport port-security violation shutdownThis configuration ensures that only two devices can connect to the port. A MAC flooding tool like macof will immediately trigger a violation and disable the port.
STP prevents Layer 2 loops. An attacker can plug in a rogue switch and broadcast superior Bridge Protocol Data Units (BPDUs), tricking the network into electing the attacker's device as the Root Bridge, intercepting all traffic.
⚠️ Always enable BPDU Guard on edge ports. This instantly disables a port if it receives a BPDU, preventing rogue switches from altering the STP topology.
| Attack | Target | Mitigation |
|---|---|---|
| MAC Flood | CAM Table | Port Security |
| STP Hijack | Root Bridge | BPDU Guard |
| VLAN Hopping | 802.1Q Trunks | Disable DTP |
Verify exercises to earn ★ 150 XP and unlock next lab level.