312-50V10 · Question #693
Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing diff
The correct answer is A. Switch then acts as hub by broadcasting packets to all machines on the network. When a switch's CAM table is exhausted by a MAC flooding attack, the switch fails open and begins broadcasting frames out all ports, effectively behaving like a hub.
Question
Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch. In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?
Exhibit
Options
- ASwitch then acts as hub by broadcasting packets to all machines on the network
- BThe CAM overflow table will cause the switch to crash causing Denial of Service
- CThe switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
- DEvery packet is dropped and the switch sends out SNMP alerts to the IDS port
How the community answered
(21 responses)- A86% (18)
- B10% (2)
- C5% (1)
Why each option
When a switch's CAM table is exhausted by a MAC flooding attack, the switch fails open and begins broadcasting frames out all ports, effectively behaving like a hub.
A switch uses the CAM table to make forwarding decisions by matching destination MAC addresses to specific ports. When the table is full, the switch cannot store new MAC-to-port mappings and defaults to flooding unknown-destination frames out every port - the same behavior as a hub. This allows an attacker on any port to capture traffic that would normally be unicast to a different segment.
The switch does not crash or enter a Denial of Service state; it continues to forward traffic but loses its ability to make intelligent unicast forwarding decisions, failing open rather than failing closed.
Switches do not rewrite outgoing frame MAC addresses to FF:FF:FF:FF:FF:FF; that address is the Layer 2 broadcast address used in broadcast frames, not a fallback written by the switch hardware.
Switches do not drop all packets and generate SNMP alerts on CAM overflow; dropping traffic would be a fail-closed behavior, which is the opposite of what actually occurs.
Concept tested: MAC flooding CAM table overflow switch behavior
Source: https://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/10601-port-sec.html
Topics
Community Discussion
No community discussion yet for this question.
