CCNA Exploration: LAN Switching and Wireless 

Chapter 2 Case Study

Objectives:

• Configure the port-security

• Enforce the monitor-session concept and configuration.

Introduction:

Green Inc. is experiencing network problems. Helpdesk reports state that all switches frequently stop
forwarding frames.

Topology:

© 2009 Cisco Learning Institute

 
 
CCNA Exploration: LAN Switching and Wireless 
Chapter 2 Case Study

The Scenario:

As shown in the topology above, Green network (designed by you) is based on the hierarchical model.
Because of that many redundant links were created. You get to Green’s main office and decide to take a
look in the Wiring Closet. The switches are in the non-forward-problematic state described via phone. The
fact the switches are presenting the problem is good news; troubleshooting intermittent problems might
be frustrating.

Step 1 – Identifying the problem

All LEDs of the switches are flashing slowly and at the same frequency. Flashing LEDs is never a good
sign: it could mean hardware failure, software failure or even an in-progress attack to the switch. Looking
at the switches you have the feeling (yet to be confirmed) Green network is under attack. The suspicion of
an attack is not completely subjective, though. Based on the pattern of the flashing LEDs and on the
behavior of the switches (not forwarding frames), you suspect of some sort of attack is being performed.

You suspect a PC is running malicious software (like some kind of virus) which is attacking the switch.

It is very common for malicious software running on user PCs to generate a very high amount of network
frames with different source MAC addresses. Such frames, once forwarded to the switch, could overload
its MAC forwarding table and keeping it from operate correctly.

To test you hypothesis, you connect your laptop to Green’s Access Switch 1 and, via the console port,
you configure port-security on all switch ports. You adjust the parameters in a way that only allows 1
MAC address per port. With this feature enabled, the switch keeps track of the source MAC address of
every single frame which arrives in that port. If the source MAC address changes on a specific port more
times than specified in the command, the switch shuts down that port. The commands to configure port-
security are listed below:

Note: Make sure no trunk ports are included in the range of interfaces.

S1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# interface range fastethernet 0/0 - 24
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 1
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# switchport port-security violation shutdown
S1(config-if)# end

This will cause the switch to dynamically learn the first source MAC address of the first frame which
enters the interface and store it in memory. If another different source MAC address enters that interface
(when the application changes the source MAC address to confuse the switch) the switch treats it as a
violation and shuts down the interface. A number of source MAC Addresses bigger than the number

© 2009 Cisco Learning Institute

 
 
CCNA Exploration: LAN Switching and Wireless 
Chapter 2 Case Study

specified in the command is called a violation. A violation leads to port shutdown by default and the
shutdown/no shutdown command must be used to bring the interface up again.

For more information about port-security refer to:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.htm
l

Right after you issue the port-security commands, the router logs on your console window that port fa0/11
went down because of a port security violation. Looks like you were lucky and got the bad PC on the first
access switch you checked.

To ensure that was real, you decide to run a protocol analyzer program. You remove all port-security
configurations you just did and bring fa0/11 back up because you don’t want the switch to shut it down
while the protocol analyzer is running.

Once the port is up and running again, you connect your laptop to a free port on S1 (port fa0/24, in this
case) and start a protocol analyzer program called Wireshark. Wireshark will allow you to see all packets
flowing through network 1. If a computer is generating malicious traffic, you will be able to see it.

Question 1:

You connected your laptop to a switch. A switch has the characteristic of split the network in collision
domains and it is correct to assume a different collision domain per switch port. What must be done in
the switch to make possible for a laptop to capture network packets through the switch since it splits the
network in many different collision domains?

Answer: You will have to enable a monitor session in the switch. A monitor session allows you to specify
a destination port and a source port. All traffic arriving to the destination port will be copied to the
destination port automatically. The commands are listed below:

SW1(config)# monitor session 1 source interface FastEthernet0/11

SW1(config)# monitor session 1 destination interface FastEthernet0/24

Notice that the destination port can’t forward frames while it is part of a monitor session.

© 2009 Cisco Learning Institute

 
 
CCNA Exploration: LAN Switching and Wireless 
Chapter 2 Case Study

Step 2 – Cleaning up and testing

You got it! Wireshark’s output shows many frames with different MAC addresses being injected into port
fa0/11. You check the port and learn that only one PC is connected to that port. A quick look at the PC
reveals that it has a program running in the background which is generating the fake MAC addresses.
Such fake addresses are confusing the switch and keep it from correctly forwarding frames.

You shut down the port once more and ask Green’s helpdesk staff to clean up the computer. Because the
PC was compromised, the best option when cleaning it up is to unplug it from the network, format the
hard disk, reinstall the operating system and software, install an anti-virus program and update it. Note: If
necessary a data backup must be done before formatting the PC.

Note: Sometimes it is important to know how the attacker gained control of the PC. On those cases the
PC must be unplugged from the network and analyzed before the clean up.

While Green’s helpdesk is working on cleaning up the user PC, you decide to enable port security on all
ports once more to keep a major network operation interruption from happening again.

© 2009 Cisco Learning Institute