Does a MAC flooding attack defeat vlans?

queequeg · ‎12-05-2018

I'm a little confused about mac flooding attacks and VLANs. It would seem to me that flooding attacks should only be able to turn a vlan into a hub rather than the entire switch. Even if you cause the CAM table to fill up with fake mac addresses shouldn't the switch know to not send traffic to ports that aren't from the flooding interfaces VLAN?

So if ports 1 and 2 are in VLAN 10 and ports 3 and 4 are in VLAN 11 and port 1 has an attacker on it that runs a mac address flooding script shouldn't only ports 1 and 2 be turned into a hub?

Richard Burts · ‎12-05-2018

Perhaps there is something in your question and your scenario that I am not understanding. But it seems to me that part of the issue is that if an attacker on port 1 has filled the mac address table that then the switch would have problems in attempting to add mac addresses legitimately learned on ports 3 and 4 into the mac address table. So the attack in vlan 10 could have impact on vlan 11.

HTH

Rick

HTH

Rick

queequeg · ‎12-05-2018

But why doesn't the switch know that ports 1 and 2 can't talk to ports 3 and 4? You shouldn't be able to get a frame from port 1 to port 3 without routing if they are really in different broadcast domains.

I'm not trying to assert knowledge. I just feel like I'm missing something and that can really hang up my learning process. This question is revealing my ignorance but unfortunately, I'm not able to ask a more direct question.

I guess I was thinking that VLANs are more robust than they actually are.

Richard Burts · ‎12-05-2018

I am somewhat puzzled about your response. Yes the switch does know that ports 1 and 2 can not talk to ports 3 and 4 without something supplying routing. The problem that I am suggesting does not have anything to do with ports 1 or 2 talking to ports 3 or 4. The mac address table is a table maintained in a finite amount of memory. When the table is full then it is full for every vlan. It does not matter how many entries were from vlan 10 and how many entries from vlan 11. There is not an allocation of so much space for vlan 10 and so much space for vlan 11. If vlan 10 has used up the available space then vlan 11 gets impacted by not being able to add any entries to the table, which will cause flooding of traffic in vlan 11 as well as in 10.

HTH

Rick

HTH

Rick

queequeg · ‎12-05-2018

OK, I think I'm getting closer to figuring out what I'm missing.

I guess my question is "Does a MAC flooding attack cause leaks between VLANs?" Does the flood cause frames from one VLAN to be seen in another VLAN or does it only cause each VLAN to behave like a hub?

Do you see what I mean? In one situation each VLAN becomes basically becomes a hub. In the other situation, the switch itself starts acting like a hub. I think that is what I'm not getting.

Richard Burts · ‎12-05-2018

No a flooding attack does not cause frames from one vlan to leak into another vlan. The vlan boundary is maintained.

HTH

Rick

HTH

Rick

queequeg · ‎12-05-2018

Thanks again for helping me work through to find the detail I wasn't understanding.

queequeg · ‎12-05-2018

And thanks for the responses by the way. I'm sorry it is taking me a while to get this.

Richard Burts · ‎12-06-2018

I am glad that my explanations have been helpful. These communities are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

HTH

Rick