On a Cisco Catalyst Switch, are very specific microchips that are used to copy an Ethernet Frame one an ingress port to an Egress port based on SRC and DST MAC Address. Among one of the other functions of the CAM table is to store the MAC Address Table.
In a CAM Table Attack, the attacker attempts to flood the switch with bogus MAC addresses to exhaust the resources of the CAM table thus forcing the switch to forward receive on a given interface out ALL interfaces in the attached VLAN. This in turn gives the attacker the ability to capture and analyze traffic on his computer to gather information destined to computers other than his computer. For example, Server to Server communication or Client to Server communication that is unencrypted could easily be viewed by Wires hark in this type of attack.
Port Security is a layer 2 security features that limits Catalyst switch port(s) to only learn a configured amount of MAC addresses before triggering an administrative action such as disabling the port or restricting the port. When a switchport with port security configured with a maximum of 3 MAC Addresses receives a frame with a NEW SRC MAC address other than the 3 already known ones, it will trigger the administratively configured action.
By default this is to shut down the interface and place it into ERR-DISABLED mode.
First off you start out with the simple command switchport port-security. Keep in mind this command can only be executed on an access port so the interface must be set to switchport mode access.
Once port-security is enabled on the interface you can than configure the parameters as needed. To configure the maximum address limit per interface you’ll use the switchport port-security maximum 3 command whereas 3 is the limit.
There are three types of violation actions; shutdown, restrict and protect. The default action of a port-security violation is to shut down the interface into ERR-Disabled mode.
The restrict and protect actions perform the same function but the primary difference is that the security violation counter is incremented with restrict whereas it’s not with protect. Both Restrict and Protect will drop all frames from a SRC MAC address that violate port-security configuration.