How the Switch works
- Simply put, it is based on the source Mac learning-form cam table, which is forwarded according to the Cam table. Normally ARP broadcasts first, SW receives all exits after sending to this VLAN, all machine learns to update ARP cache. The target machine returns the unicast ARP reply to this machine. Then transfer the data (unicast). Also to a certain extent, to avoid the flow of the Hu channeling, to ensure the safety.
The SW port Forwarding (security) also relies on the switching fabric
Reference
The life of the cam table for each entry defaults to 5min.
Implementing Cisco IP switched Networks (SWITCH) Foundation learning guide:network Design Fundamentals
- The key is that the cam table has a limited capacity.
- If the cam table of the switch is fully learned and the unicast packet is received, it is emitted from all interfaces , which deviates from the security of the switch port
MACOF Tool Forged Source mac+ IP, a large number of IP packets.
Fills the cam table with the switch, causing the switch to broadcast the unknown unicast packet. Loss of security.
Reference: Mac flooding: Capturing unknown unicast traffic: analyzing FTP passwords
Resolution Policy:
Limit the number of MAC addresses that can be learned at each port of SW (open port security)
The DHCP anti-exhaustion attack is also used by this policy defense.
[AQ] Switch principle/MACOF