CCNA Exploration: LAN Switching and Wireless  Chapter 2 Case Study

Objectives: • • Configure the port-security Enforce the monitor-session concept and configuration.

Introduction: Green Inc. is experiencing network problems. Helpdesk reports state that all switches frequently stop forwarding frames.


© 2009 Cisco Learning Institute


The switches are in the non-forward-problematic state described via phone. once forwarded to the switch. End with CNTL/Z. S1# configure terminal Enter configuration commands.24 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# switchport port-security maximum 1 S1(config-if)# switchport port-security mac-address sticky S1(config-if)# switchport port-security violation shutdown S1(config-if)# end This will cause the switch to dynamically learn the first source MAC address of the first frame which enters the interface and store it in memory. Green network (designed by you) is based on the hierarchical model. Flashing LEDs is never a good sign: it could mean hardware failure. the switch keeps track of the source MAC address of every single frame which arrives in that port. Looking at the switches you have the feeling (yet to be confirmed) Green network is under attack. Such frames. software failure or even an in-progress attack to the switch. you connect your laptop to Green’s Access Switch 1 and. Based on the pattern of the flashing LEDs and on the behavior of the switches (not forwarding frames). To test you hypothesis. A number of source MAC Addresses bigger than the number © 2009 Cisco Learning Institute     . could overload its MAC forwarding table and keeping it from operate correctly. It is very common for malicious software running on user PCs to generate a very high amount of network frames with different source MAC addresses. troubleshooting intermittent problems might be frustrating. though. With this feature enabled. You suspect a PC is running malicious software (like some kind of virus) which is attacking the switch. the switch shuts down that port. you suspect of some sort of attack is being performed. you configure port-security on all switch ports. You get to Green’s main office and decide to take a look in the Wiring Closet. The suspicion of an attack is not completely subjective. The commands to configure portsecurity are listed below: Note: Make sure no trunk ports are included in the range of interfaces. one per line.CCNA Exploration: LAN Switching and Wireless  Chapter 2 Case Study The Scenario: As shown in the topology above. S1(config)# interface range fastethernet 0/0 . Because of that many redundant links were created. If the source MAC address changes on a specific port more times than specified in the command. If another different source MAC address enters that interface (when the application changes the source MAC address to confuse the switch) the switch treats it as a violation and shuts down the interface. The fact the switches are presenting the problem is good news. Step 1 – Identifying the problem All LEDs of the switches are flashing slowly and at the same frequency. via the console port. You adjust the parameters in a way that only allows 1 MAC address per port.

you decide to run a protocol analyzer program.2/20ewa/configuration/guide/port_sec. in this case) and start a protocol analyzer program called Wireshark. If a computer is generating malicious traffic.CCNA Exploration: LAN Switching and Wireless  Chapter 2 Case Study specified in the command is called a violation.htm l Right after you issue the port-security commands. A switch has the characteristic of split the network in collision domains and it is correct to assume a different collision domain per switch port. What must be done in the switch to make possible for a laptop to capture network packets through the switch since it splits the network in many different collision domains? Answer: You will have to enable a monitor session in the switch. Looks like you were lucky and got the bad PC on the first access switch you checked. The commands are listed below: SW1(config)# monitor session 1 source interface FastEthernet0/11 SW1(config)# monitor session 1 destination interface FastEthernet0/24 Notice that the destination port can’t forward frames while it is part of a monitor session. Wireshark will allow you to see all packets flowing through network 1. You remove all port-security configurations you just did and bring fa0/11 back up because you don’t want the switch to shut it down while the protocol analyzer is running. Once the port is up and running again. the router logs on your console window that port fa0/11 went down because of a port security violation. A violation leads to port shutdown by default and the shutdown/no shutdown command must be used to bring the interface up A monitor session allows you to specify a destination port and a source To ensure that was real. All traffic arriving to the destination port will be copied to the destination port automatically. For more information about port-security refer to: http://www. you connect your laptop to a free port on S1 (port fa0/24. Question 1: You connected your laptop to a switch. you will be able to see it. © 2009 Cisco Learning Institute     .

You check the port and learn that only one PC is connected to that port. A quick look at the PC reveals that it has a program running in the background which is generating the fake MAC addresses.CCNA Exploration: LAN Switching and Wireless  Chapter 2 Case Study Step 2 – Cleaning up and testing You got it! Wireshark’s output shows many frames with different MAC addresses being injected into port fa0/11. you decide to enable port security on all ports once more to keep a major network operation interruption from happening again. the best option when cleaning it up is to unplug it from the network. While Green’s helpdesk is working on cleaning up the user PC. Note: If necessary a data backup must be done before formatting the PC. format the hard disk. Such fake addresses are confusing the switch and keep it from correctly forwarding frames. On those cases the PC must be unplugged from the network and analyzed before the clean up. reinstall the operating system and software. You shut down the port once more and ask Green’s helpdesk staff to clean up the computer. Note: Sometimes it is important to know how the attacker gained control of the PC. install an anti-virus program and update it. Because the PC was compromised. © 2009 Cisco Learning Institute     .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times