312-50V9 · Question #594
Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?
The correct answer is A. The switches will drop into hub mode if the ARP cache is successfully flooded.. Macof floods a switch's CAM table with fake MAC addresses, causing it to fail open and forward all frames out every port like a hub.
Question
Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?
Options
- AThe switches will drop into hub mode if the ARP cache is successfully flooded.
- BIf the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.
- CDepending on the switch manufacturer, the device will either delete every entry in its ARP cache or
- DThe switches will route all traffic to the broadcast address created collisions.
How the community answered
(32 responses)- A84% (27)
- B3% (1)
- C9% (3)
- D3% (1)
Why each option
Macof floods a switch's CAM table with fake MAC addresses, causing it to fail open and forward all frames out every port like a hub.
When Macof exhausts a switch's CAM table by flooding it with spoofed MAC addresses, the switch enters fail-open mode and begins broadcasting all frames to every port, effectively behaving as a hub. This exposes all network traffic to any host on the segment, enabling passive sniffing attacks.
There is no 'pix mode' on network switches - PIX is a legacy Cisco firewall product and has no relation to switch MAC flooding behavior.
Switches experiencing CAM table overflow do not selectively delete entries or vary behavior by manufacturer in this way; they uniformly enter fail-open mode and flood all ports with unknown unicast frames.
CAM table overflow does not redirect traffic to a broadcast address or generate collisions; it causes unicast frames with unknown destinations to be flooded to all switch ports.
Concept tested: MAC flooding attack causing switch fail-open hub mode
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html
Topics
Community Discussion
No community discussion yet for this question.