IT-6300 Data Communications and Networking 4

1
Week 7: Network Security and Monitoring Part 2

Cisco Switch Port Analyzer

Objectives
After completing this course, students will be able to
 Explain how to mitigate common LAN security attacks.
 Describe common LAN security attacks.
 Explain how to use security best practices to mitigate LAN attacks.
 Configure SNMP to monitor network operations in a small to medium-sized business
network.
 Explain how SNMP operates.
 Configure SNMP to compile network performance data.
 Troubleshoot a network problem using SPAN.
 Explain the features and characteristics of SPAN.
 Configure local SPAN.
 Troubleshoot suspicious LAN traffic using SPAN.

Introduction

A secure network is only as strong as its weakest link and Layer 2 is potentially the weakest
link. Common Layer 2 attacks include CDP reconnaissance, Telnet exploitation, MAC address
table flooding, VLAN attacks, and DHCP related attacks. Network administrators must know
how to mitigate these attacks, and well as securing administrative access using AAA and
securing port access using 802.1X.

Monitoring an operational network can provide a network administrator with information

to proactively manage the network and to report network usage statistics to others. Link
activity, error rates, and link status are a few of the factors that help a network administrator
determine the health and usage of a network. Collecting and reviewing this information over
time enables a network administrator to see and project growth, and may enable the
administrator to detect and replace a failing part before it completely fails. SNMP is
commonly used to collect device information.

Network traffic must be monitored for malicious traffic. Network administrators use port
analyzers and IPS devices to help with this task. However, the switched infrastructure does
not enable port mirroring by default. Cisco SPAN must be implemented to enable port
mirroring. This enables the switch to send duplicate traffic to port analyzers or IPS devices
for monitoring of malicious, or questionable traffic.

This chapter covers common LAN security threats and how to mitigate them. It then covers
SNMP and how to enable it to monitor a network, and how to implement local SPAN to
capture and monitor traffic with port analyzers or IPS devices.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
2
Week 7: Network Security and Monitoring Part 2

SPAN Overview

Port Mirroring
A packet analyzer (also known as a sniffer, packet sniffer, or traffic sniffer) is a valuable tool
to help monitor and troubleshoot a network. A packet analyzer is typically software that
captures packets entering and exiting a network interface card (NIC). For example,
Wireshark is a packet analyzer that is commonly used to capture and analyze packets on a
local computer.
What if a network administrator wanted to capture packets from many other key devices
and not just the local NIC? A solution is to configure networking devices to copy and send
traffic going to ports of interest to a port connected to a packet analyzer. The administrator
could then analyze network traffic from various sources in the network.
However, the basic operation of a modern switched network disables the packet analyzer
ability to capture traffic from other sources. For instance, a user running Wireshark can only
capture traffic going to their NIC. They cannot capture traffic between another host and a
server. The reason is because a Layer 2 switch populates its MAC address table based on the
source MAC address and the ingress port of the Ethernet frame. After the table is built, the
switch only forwards traffic destined for a MAC address directly to the corresponding port.
This prevents a packet analyzer connected to another port on the switch from “hearing”
other switch traffic.
The solution to this dilemma is to enable port mirroring. The port mirroring feature allows
a switch to copy and send Ethernet frames from specific ports to the destination port
connected to a packet analyzer. The original frame is still forwarded in the usual manner.
An example of port mirroring is shown in the figure 7.1. Notice how traffic between PC1 and
PC2 is also being sent to the laptop that has a packet analyzer installed.

Figure 7.1 Switch frame Duplication for Packet Capture

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
3
Week 7: Network Security and Monitoring Part 2

Analyzing Suspicious Traffic

The Switched Port Analyzer (SPAN) feature on Cisco switches is a type of port mirroring that
sends copies of the frame entering a port, out another port on the same switch. SPAN allows
administrators or devices to collect and analyze traffic.

As shown in Figure 7.2, SPAN is commonly implemented to deliver traffic to specialized

devices including:

Figure 7.2 implementing Cisco SPAN

Packet analyzers – Using software such as Wireshark to capture and analyze traffic for
troubleshooting purposes. For example, an administrator can capture traffic destined to a
server to troubleshoot the sub-optimal operation of a network application.
Intrusion Prevention Systems (IPSs) –IPSs are focused on the security aspect of traffic and
are implemented to detect network attacks as they happen, issuing alerts or even blocking
the malicious packets as the attack takes place. IPSs are typically deployed as a service on an
ISR G2 router or using a dedicated device.
While packet analyzers are commonly used for troubleshooting purposes, an IPS looks for
specific patterns in traffic. As the traffic flows through the IPS, it analyzes traffic in real-time
and takes action upon the discovery of malicious traffic patterns.

Modern networks are switched environments. Therefore, SPAN is crucial for effective IPS
operation. SPAN can be implemented as either Local SPAN or Remote SPAN (RSPAN).
Local SPAN
Local SPAN is when traffic on a switch is mirrored to another port on that switch. Various
terms are used to identify incoming and outgoing ports. The table in Figure 7.3 describes
commonly used SPAN terms. Figure 7.4 identifies the SPAN ports.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
4
Week 7: Network Security and Monitoring Part 2

Figure 7.3 SPAN Terminology

Figure 7.4 SPAN Ports

A SPAN session is the association between source ports (or VLANs) and a destination port.
Traffic entering or leaving the source port (or VLAN) is replicated by the switch on the
destination port. Although SPAN can support multiple source ports under the same session
or an entire VLAN as the traffic source, a SPAN session does not support both. Both Layer 2
and Layer 3 ports can be configured as source ports.

There are three important things to consider when configuring SPAN:

The destination port cannot be a source port, and the source port cannot be a destination
port.
The number of destination ports is platform-dependent. Some platforms allow for more than
one destination port.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
5
Week 7: Network Security and Monitoring Part 2

The destination port is no longer a normal switch port. Only monitored traffic passes through
that port.
The SPAN feature is said to be local when the monitored ports are all located on the same
switch as the destination port. This feature is in contrast to Remote SPAN (RSPAN).

Remote SPAN
Remote SPAN (RSPAN) allows source and destination ports to be in different switches.
RSPAN is useful when the packet analyzer or IPS is on a different switch than the traffic being
monitored.

The table in Figure 7.5 describes RSPAN terms.

Figure 7.5 RSPAN Terminology

Figure 7.6 RSPAN Ports

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
6
Week 7: Network Security and Monitoring Part 2

Figure 7.6 illustrates how RSPAN is forwarded between two switches. Notice how RSPAN
extends SPAN by enabling remote monitoring of multiple switches across the network.

RSPAN uses two sessions. One session is used as the source and one session is used to copy
or receive the traffic from a VLAN. The traffic for each RSPAN session is carried over trunk
links in a user-specified RSPAN VLAN that is dedicated (for that RSPAN session) in all
participating switches.
SPAN Configuration
Configuring Local SPAN
The SPAN feature on Cisco switches sends a copy of each frame entering the source port, out
the destination port and toward the packet analyzer or IPS. A session number is used to
identify a local SPAN session.

Figure 7.7 Cisco SPAN Configuration Commands

Figure 7.7 shows the syntax of the monitor session global configuration command. This
command is used to associate a source port and a destination port with a SPAN session. A
separate monitor session command is used for each session. A VLAN can be specified instead
of a physical port.

Figure 7.8 Cisco SPAN Configuration

For example, in Figure 7.8, PCA is connected to F0/1 and a computer with a packet analyzer
application is connected to F0/2. The objective is to capture all the traffic that is sent or
received by PCA on port F0/1 and send a copy of those frames to the packet analyzer (or IPS)
on port F0/2. The SPAN session on the switch will copy all the traffic that it sends and
receives on source port F0/1 to the destination port F0/2.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
7
Week 7: Network Security and Monitoring Part 2

Verifying Local SPAN

The show monitor command is used to verify the SPAN session. The command displays the
type of the session, the source ports for each traffic direction, and the destination port.

Figure 7.9 Cisco SPAN Verification

In the example shown in Figure 7.9, the session number is 1, the source port for both traffic
directions is F0/1, and the destination port is F0/2. The ingress SPAN is disabled on the
destination port, so only traffic that leaves the destination port is copied to that port.

SPAN as a Troubleshooting Tool

Troubleshooting with SPAN Overview
SPAN allows administrators to troubleshoot network issues. For example, a network
application may be taking too long to execute tasks. To investigate, a network administrator
may use SPAN to duplicate and redirect traffic to a packet analyzer such as Wireshark. The
administrator can then analyze the traffic from all devices to troubleshoot sub-optimal
operation of the network application.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
8
Week 7: Network Security and Monitoring Part 2

Figure 7.10 Troubleshooting with SPAN Overview

Older systems with faulty NICs can also cause issues. If SPAN is enabled on a switch to send
traffic to a packet analyzer, a network technician can detect and isolate the end device
causing the excess traffic, as shown in the figure7.10.
Summary
At Layer 2, a number of vulnerabilities exist that require specialized mitigation techniques:

MAC address table flooding attacks are addressed with port security.
VLAN attacks are controlled by disabling DTP and following basic guidelines for configuring
trunk ports.
DHCP attacks are addressed with DHCP snooping.
The SNMP protocol has three elements: the Manager, the Agent, and the MIB. The SNMP
manager resides on the NMS, while the Agent and the MIB are on the client devices. The
SNMP Manager can poll the client devices for information, or it can use a TRAP message that
tells a client to report immediately if the client reaches a particular threshold. SNMP can also
be used to change the configuration of a device. SNMPv3 is the recommended version
because it provides security. SNMP is a comprehensive and powerful remote management
tool. Nearly every item available in a show command is available through SNMP.

Switched Port Analyzer (SPAN) is used to mirror the traffic going to and/or coming from the
host. It is commonly implemented to support traffic analyzers or IPS devices.

Data Communication and Networking 4

 IT-6300 Data Communications and Networking 4
9
Week 7: Network Security and Monitoring Part 2

References and Supplementary Materials

Books and Journals
1. Bob Vachon and Allan Johnson; 2018; Connecting Networks v6 Companion Guide; 800
East 96th Street Indianapolis, IN 46240 USA; Cisco Press.
2. Rick Graziani and Allan Johnson; 2017; Introduction to Networks v6 Companion
Guide; 800 East 96th Street Indianapolis, IN 46240 USA; Cisco Press.

Online Supplementary Reading Materials

1. CCNA Routing and Switching: Connecting Networks; www.netacad.com; Oct 14, 2019

Online Instructional Videos

1. CISCO CCNA 4 CONNECTING NETWORKS;
https://www.youtube.com/watch?v=weOirQq27xE&list=PL452256E1D4CDA875;
Oct 14, 2019

Data Communication and Networking 4