Chapter 5 Network Security and Monitoring.pdf

Full Transcript

9/3/2024

Connecting Networks v6.0

Chapter 5
Network Security and Monitoring

H.Swaih 1

Chapter 5 - Sections & Objectives
5.1 LAN Security
Explain how to mitigate common LAN security attacks.
Describe common LAN security attacks.
Explain how to use security best practices to mitigate LAN attacks.
5.2 SNMP
Configure SNMP to monitor network operations in a small to medium-
sized business network.
Explain how SNMP operates.
Configure SNMP to compile network performance data.
5.3 Cisco Switch Port Analyzer (SPAN)
Troubleshoot a network problem using SPAN.
Explain the features and characteristics of SPAN.
Configure local SPAN.
Troubleshoot suspicious LAN traffic using SPAN
H.Swaih 2

1
 9/3/2024

LAN Security

H.Swaih 3

LAN Security Attacks
Common LAN Attacks
Common security solutions
using routers, firewalls,
Intrusion Prevention System
(IPSs), and VPN devices protect
Layer 3 up through Layer 7.
Layer 2 must also be
protected.
Common Layer 2 attacks
include:
– CDP Reconnaissance Attack
– Telnet Attacks
– MAC Address Table
Flooding Attack
– VLAN Attacks
– DHCP Attacks
H.Swaih 4

2
 9/3/2024

LAN Security Best Practices
Secure the LAN
IPSG binds a host's IP
Strategies to help secure Layer 2 of address to its MAC
a network: IP Source Guard (IPSG) address and filters
prevents MAC and IP address packets based on this
– Always use secure variants of spoofing. binding.

protocols such as SSH, SCP, and
SSL. Dynamic ARP Inspection
(DAI) prevents ARP
– Use strong passwords and spoofing and poisoning.

change often. DHCP snooping
prevents DHCP
– Enable CDP on select ports only. starvation and
spoofing.
– Use a dedicated management
VLAN
– Use ACLs to filter unwanted Port Security prevents many attacks
including MAC address flooding and
access. DHCP starvation.
SCP (Secure Copy):
ꟷ SCP should be used instead of the insecure FTP or TFTP protocols for
securely, The secure alternative to SCP is SFTP (Secure File Transfer
Protocol).
SSL/TLS (Secure Sockets Layer/Transport Layer Security):
ꟷ SSL/TLS should be used to secure web-based applications and services,
instead of using plain HTTP. H.Swaih 5

LAN Security Attacks
CDP Reconnaissance Attack
The Cisco Discovery Protocol
(CDP) is a proprietary Layer 2 link
discovery protocol, enabled by
default.
CDP can automatically discover
other CDP-enabled devices.
CDP information can be used by
an attacker.
CDP flood attack can fill the table
with bogus entries and causing
the CPU to peak – device may
reboot.
Use the no cdp run global
configuration command to disable
CDP globally.
Use the no cdp enable interface
configuration command to disable
CDP on a port. H.Swaih 6

3
 9/3/2024

LAN Security Attacks
CDP Reconnaissance Attack
show cdp neighbors Command
R1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
S1 Gig 0/1 134 S I WS-C2960- Fas 0/5

Total cdp entries displayed : 1
R1#
Holdtime: This is the amount of time (in seconds) that the R1 router will hold the
CDP information about the neighboring device before discarding it if no new CDP
updates are received.
Capability: When the Capability code for a neighboring device is "S I", it means that
the device has the following capabilities:
ꟷ S - Switch
ꟷ I - IGMP (Internet Group Management Protocol) is a communications protocol
used by network devices to manage the membership of IP multicast groups.
ꟷ This indicates that the neighboring device is a switch that supports the IGMP
protocol.

LAN Security Attacks
CDP Reconnaissance Attack
show cdp neighbors detail:
This command provides more detailed information about the CDP neighbors.
R1# show cdp neighbors detail
-------------------------
Device ID: S1
Entry address(es):
IP address: 192.168.1.10
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/5
Holdtime : 151 sec

Version :
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE7, RELEASE SOFTWARE
(fc1)
Technical Support: http://www.cisco.com/techsupport The output includes the
Copyright (c) 1986-2014 by Cisco Systems, Inc. following additional
Compiled Thu 23-Oct-14 14:49 by prod_rel_team
information for each neighbor:
advertisement version: 2 Device address(es)
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27,
value=00000000FFFFFFFF010221FF0000000000000CD996E23D00FF0000 Interface type and
VTP Management Domain: '' description
Native VLAN: 1
Duplex: full Native VLAN
Management address(es): Duplex mode
IP address: 192.168.1.10
VTP management domain
Total cdp entries displayed : 1 Appliance ID, software
R1#
version, and device type

4
 9/3/2024

LAN Security Attacks
Telnet Attacks
There are two types of Telnet attacks:
– Brute Force Password Attack -
trial-and-error method used to
obtain the administrative
password.
– Telnet DoS Attack - Attacker
continuously requests Telnet
connections in an attempt to
render the Telnet service
unavailable.
To mitigate these attacks:
– Use SSH Note: Implementing AAA
– Use strong passwords that are (Authentication, Authorization, and
changed frequently. Accounting) with either TACACS+ or
– Limit access to the vty lines using RADIUS protocols can help secure
an access control list (ACL) network access and provide centralized
control over user management.
– Use AAA with either TACACS+ or
RADIUS protocols. H.Swaih 9

LAN Security Attacks
MAC Address Table Flooding Attack
Common LAN switch
attack is the MAC address
table flooding attack.
– An attacker sends
fake source MAC
addresses until the
switch MAC address
table is full and the
switch is
overwhelmed.
– Some network attack
tools can generate
155,000 MAC entries
per minute.
(“Typical” switch can store 4,000 to 8,000 MAC entries)
– Switch is then in fail-open mode and broadcasts all frames, allowing the
attacker to capture those frames.
Configure port security to mitigate these attacks.
H.Swaih 10

5
 9/3/2024

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks
Enabling Port Security to limit the
number of valid MAC addresses
allowed on a port helps prevent
MAC table flooding attacks.
The MAC addresses of legitimate
devices are allowed access, while
other MAC addresses are denied.
Any additional attempts to connect
by unknown MAC addresses
generate a security violation.
– By default, the port will shut
down if the wrong device
connects.
o It has to be brought up again manually
Secure MAC addresses can be configured in a number of ways:
– Static secure MAC addresses
– Dynamic secure MAC addresses
– Sticky secure MAC addresses H.Swaih 11

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks
CAM Table Operation

PC-A pings 192.168.1.11 Eventually the CAM Table is complete

Port MAC VLAN
Fa0/1 000a.f38e.74b3 1
Fa0/2 00db.ba07.8499 1
Fa0/3 0090.0c23.ceca 1
Fa0/4 0001.9717.22e0 1

S1#
S1# show
show mac-address-table
mac-address-table
Mac
Mac Address
Address Table
Table
-------------------------------------------
-------------------------------------------

Vlan
Vlan Mac
Mac Address
Address Type
Type Ports
Ports
----
---- -----------
----------- --------
-------- -----
-----

S1#1 0001.9717.22e0
000a.f38e.74b3 DYNAMIC Fa0/4
Fa0/1
1 00d0.ba07.8499
000a.f38e.74b3 DYNAMIC Fa0/2
Fa0/1
1 0090.0c23.ceca DYNAMIC Fa0/3
S1#1 00d0.ba07.8499 DYNAMIC Fa0/2
S1#

H.Swaih 12

6
 9/3/2024

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks
Solution: port security.
CAM Table Attack

Bogus MAC addresses are added to the
CAM table which eventually becomes
full.
Intruder runs macof to begin sending
MAC U
V
X
TZS
Y bogus MAC addresses.
Flood
The intruder now sees frames intended
for server 2 and 4.
Port MAC VLAN Macof can flood a switch with up to
Fa0/25 T 1 Legitimate frames going 8,000 bogus frames per second;
Fa0/25 U 1
to server 2 and 4 are now creating a CAM table overflow attack in
Fa0/25 V 1

Fa0/25 X 1
flooded out all ports a matter of a few seconds.
Fa0/25 Y 1 including Fa0/25.
Fa0/25 Z 1

Fa0/25 … 1

H.Swaih 13

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks
Configuration : Sticky Secure MAC address
S1(config)#interface FastEthernet0/1
S1(config-if)#switchport mode access
– Sets the interface mode as access; an interface in the default mode (dynamic) cannot
be configured as a secure port.
S1(config-if)#switchport port-security
– Enables port security on the interface
S1(config-if)#switchport port-security maximum ?
Maximum addresses ! the default is 1.
S1(config-if)#switchport port-security maximum 4
– (Optional) Sets the maximum number of secure MAC addresses for the interface.
S1(config-if)#switchport port-security mac-address
aaaa.bbbb.1234
– (Optional) Enter a static secure MAC address for the interface, repeating the command
as many times as necessary. You can use this command to enter the maximum number
of secure MAC addresses. If you configure fewer secure MAC addresses than the
maximum, the remaining MAC addresses are dynamically learned.
S1(config-if)#switchport port-security mac-address sticky
– Enable stick learning on the interface.
S1(config-if)#switchport port-security violation shutdown
– (Optional) Set the violation mode {protect | restrict | shutdown} , the action to be
taken when a security violation is detected.
H.Swaih ! the default is shutdown. 14

7
 9/3/2024

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks

Port Security: Verifying
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-shutdown ! Means a violation has occurred
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 4
Configured MAC Addresses : 1
Sticky MAC Addresses : 3
Last Source Address:Vlan : 0006.2A70.CAEA:1
Security Violation Count : 1
S1#

Normal status: Secure-up

H.Swaih 15

LAN Security Best Practices
Mitigate MAC Address Flooding Table Attacks

Port Security: Verifying
S1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.4324.5D3B SecureSticky Fa0/1 -
1 0006.2A70.CAEA SecureSticky Fa0/1 -
1 0090.216E.C041 SecureSticky Fa0/1 -
1 AAAA.BBBB.1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 3
Max Addresses limit in System (excluding one mac per port) : 8192
S1#

H.Swaih 16

8
 9/3/2024

LAN Security Attacks
VLAN Attacks
Switch spoofing attack - an
example of a VLAN attack.
– Attacker can gain VLAN access
by configuring a host to spoof a
switch and use the 802.1Q
trunking protocol and DTP to
trunk with the connecting
switch.
Methods to mitigate VLAN attacks:
– Explicitly configure access links.
– Disable auto trunking.
– Manually enable trunk links.
– Disable unused ports, make
them access ports, and assign
to a black hole VLAN.
– Change the default native
VLAN.
H.Swaih 17
– Implement port security.

LAN Security Attacks
VLAN Attacks
Switch Spoofing Attack
There are a number of different types of VLAN attacks in
modern switched networks; VLAN hopping is one example.
The default configuration of the switch port is dynamic auto.
By configuring a host to act as a switch and form a trunk, an
attacker could gain access to any VLAN in the network.
Because the attacker is now able to access other VLANs, this
is called a VLAN hopping attack.
To prevent a basic switch spoofing attack, turn off trunking
on all ports, except the ones that specifically require
trunking, as shown in the figure next slide:

H.Swaih 18

9
 9/3/2024

LAN Security Attacks
VLAN Attacks
Switch Spoofing Attack

H.Swaih 19

LAN Security Best Practices
Mitigate VLAN Attacks
Access Ports
ꟷ Configure all unused ports as
access ports so that trunking
cannot be negotiated across
those links.
ꟷ Place all unused ports:
 in the shutdown state
 associate with a VLAN
designed only for unused
ports, carrying no user
data traffic
DLS2(config)# interface range fa 0/1 - 24
DLS2(config-if)# switchport mode access
DLS2(config-if)# switchport access vlan 222
DLS2(config-if)# shutdown
H.Swaih 20

10
 9/3/2024

LAN Security Attacks
VLAN Attacks
Double-Tagging Attack
Double-tagging attack takes advantage of the way that hardware
on most switches de-encapsulate 802.1Q tags.
Most switches perform only one level of 802.1Q de-encapsulation,
allowing an attacker to embed a second, unauthorized attack
header in the frame.
After removing the first and legit 802.1Q header, the switch
forwards the frame to the VLAN specified in the unauthorized
802.1Q header.
The best approach to mitigating double-tagging attacks is to
ensure that the native VLAN of the trunk ports is different from
the VLAN of any user ports.

H.Swaih 21

LAN Security Attacks
VLAN Attacks
Double-Tagging Attack (cont.)

Note: This attack works only if the trunk has the same native VLAN as the attacker.
H.Swaih 22

11
 9/3/2024

LAN Security Best Practices
Mitigate VLAN Attacks
Change the native VLAN from VLAN 1.
Manually enable trunk links using
switchport mode trunk.
Disable DTP (auto trunking)
negotiations on trunking and non-
trunking ports using switchport
nonegotiate.
DLS2(config)# interface fa 0/24
DLS2(config-if)# switchport trunk encapsulation dot1q
DLS2(config-if)# switchport mode trunk
DLS2(config-if)# switchport trunk native vlan 2
DLS2(config-if)# switchport trunk allowed vlan 1, 10-99
DLS2(config-if)# switchport trunk allowed vlan remove 20
DLS2(config-if)# no shutdown

Looking at a complete configuration for a trunk link

H.Swaih 23

LAN Security Best Practices
Mitigate VLAN Attacks
PVLAN Edge
The Private VLAN (PVLAN) Edge
feature, also known as
protected ports, ensures that
there is no exchange of unicast,
broadcast, or multicast traffic
between protected ports on the
switch.
Local relevancy only.
A protected port only exchanges
traffic with unprotected ports.
A protected port does not
exchange traffic with another
protected port.
H.Swaih 24

12
 9/3/2024

LAN Security Best Practices
Mitigate VLAN Attacks
PVLAN Edge (cont.)
To configure the PVLAN Edge feature, enter the switchport protected command
in interface configuration mode. To disable protected port, use the no
switchport protected interface configuration mode command.
S1(config)# interface g0/1
S1(config-if)# switchport protected
S1(config-if)# end
S1# show interfaces g0/1 switchport
Name: G0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none H.Swaih 25

LAN Security Attacks
DHCP Attacks
DHCP spoofing attack - An
attacker configures a fake DHCP
server on the network to issue
IP addresses to clients.
DHCP starvation attack - An
attacker floods the DHCP server
with bogus DHCP requests and
leases all of the available IP
addresses. This results in a
denial-of-service (DoS) attack as
new clients cannot obtain an IP
address.
Methods to mitigate DHCP
attacks:
– Configure DHCP snooping
– Configure port security
H.Swaih 26

13
 9/3/2024

LAN Security Best Practices
Mitigate DHCP Attacks
To prevent DHCP attacks use DHCP
snooping.
With DHCP snooping enabled on an
interface, the switch will deny packets
containing:
– Unauthorized DHCP server messages
coming from an untrusted port.
– Unauthorized DHCP client messages
not adhering to the DHCP Snooping
Binding Database or rate limits.
DHCP snooping recognizes two types of
ports:
– Trusted DHCP ports - Only ports
connecting to upstream DHCP servers
should be trusted.
– Untrusted ports - These ports connect
to hosts that should not be providing
DHCP server messages. H.Swaih 27

DHCPv4 Operation
DHCP is a network protocol used to automatically assign IP
information.

DHCPDISCOVER
Broadcast

DHCPOFFER IP address: 192.168.10.15
Unicast Subnet mask: 255.255.255.0
Default Gateway: 192.168.10.1
Lease time: 3 days
DHCPREQUEST
Broadcast

DHCPACK
Unicast

Two types of DHCP attacks are:
DHCP spoofing: A fake DHCP server is placed in the network to issue DHCP addresses to
clients.
DHCP starvation: Attack denies service to the legitimate DHCP server.
H.Swaih 28

14
 9/3/2024

DHCP Spoofing Attack
DHCP
Server

DHCP Discover
DHCP Discover

DHCP Discover
DHCP Discover Attacker connects
rogue DHCP server
Client broadcasts

DHCP Discover
DHCP discovery
messages
DHCP Discover

Rogue DHCP
Server

DHCP
Client

H.Swaih 29

DHCP Spoofing Attack

DHCP
Server
DHCP Offer

Legitimate and Rogue
DHCP Offer

DHCP Reply
DHCP Offer

DHCP Offer

DHCP Offer

DHCP
Client Rogue DHCP
Server

H.Swaih 30

15
 9/3/2024

DHCP Spoofing Attack
DHCP
Server

DHCP Request
DHCP Request

DHCP Request
DHCP Request
Client accepts
rogue DHCP Offer

DHCP Request
DHCP Request

Rogue DHCP
Server

DHCP
Client

H.Swaih 31

DHCP Spoofing Attack This creates a “man-in-the-middle” attack
and can go entirely undetected as the
intruder intercepts the data flow through
the network.
DHCP
Server
DHCP Ack
DHCP Ack

Rogue
DHCP Ack

Acknowledges
DHCP Rogue DHCP
Client Server

H.Swaih 32

16
 9/3/2024

DHCP Starvation Attack

DHCP
DHCP
DHCP
DHCP Ack XXX(size
Request
Offer
Discovery X(sizeof
(size
(size scope)
ofof scope)
scope)
of scope) DHCP
Server

DHCP
DHCPserver
Serveroffers
parameters
acknowledges all requests
Attacker initiates
Attacker requestsa DHCP
all
starvation attack
offers

H.Swaih 33

Solution: Configure DHCP Snooping
DHCP snooping is a Cisco Catalyst feature that determines
which switch ports can respond to DHCP requests.

Ports are identified as:
– Trusted ports: Host a DHCP server or can be an uplink
toward the DHCP server and can source all DHCP
messages, including DHCP offer and DHCP
acknowledgement packets
– Untrusted ports: Can source requests only. end devices

If a rogue device on an untrusted port attempts to send a
DHCP offer packet into the network, the port is shut down.

H.Swaih 34

17
 9/3/2024

Solution: Configure DHCP Snooping

T Trusted port DHCP
Server
U Untrusted port

T
T

T T T T

U U
Rogue DHCP
DHCP Server
Client

H.Swaih 35

Configure DHCP Snooping
Enable DHCP snooping:
– Switch(config)# ip dhcp snooping
– This global configuration command enables DHCP snooping on the switch. It
allows the switch to monitor and verify DHCP messages.
Define trusted ports (default – all ports are untrusted):
– Switch(config-if)# ip dhcp snooping trust
– This command marks a specific interface as a trusted port, where DHCP
packets are allowed to pass through without verification.
(Optional) Limit the number of DHCP messages an interface can receive per
second. The range is 1 to 2048:
– Switch(config-if)# ip dhcp snooping limit rate rate
– This optional command helps prevent DHCP packet flooding attacks.
Enable DHCP snooping for specific VLANs
– Switch(config)# ip dhcp snooping vlan number [number]
– You can list multiple VLAN numbers separated by a space.

H.Swaih 36

18
 9/3/2024

Configure DHCP Snooping Example

U T DHCP
Server
F0/5 F0/1
S1 192.168.10.10

S1(config)# ip dhcp snooping
S1(config)#
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)#
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if-range)# exit
S1(config)#
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)#
H.Swaih 37

Configure DHCP Snooping Example
S1#show ip dhcp snooping: This command displays the global DHCP snooping
configuration on the switch
S1# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
5,10,50-52
DHCP snooping is operational on following VLANs:
None ! but is currently not operational on any VLAN.
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 0cd9.96d2.3f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
FastEthernet0/1 yes yes unlimited
Custom circuit-ids:
FastEthernet0/5 no no 6
Custom circuit-ids:
FastEthernet0/6 no no 6
Custom circuit-ids:
H.Swaih 38

19
 9/3/2024

Configure DHCP Snooping Example
S1# show ip dhcp snooping binding : This command displays the DHCP snooping
binding database, which contains information about trusted DHCP client
interfaces.
The binding database includes the following information for each entry:
ꟷ DHCP client MAC address
ꟷ DHCP client IP address
ꟷ Lease duration of the IP address assigned to the DHCP client by the DHCP
server, which is 93,185 seconds or approximately 25 hours and 53 minutes.
ꟷ VLAN ID
ꟷ Interface where the client is connected
S1# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- ----------------
00:03:47:B5:9F:AD 192.168.10.55 93185 dhcp-snooping 5 FastEthernet0/5

U T DHCP
Server
F0/5 F0/1
192.168.10.55 192.168.10.10

H.Swaih 39

LAN Security Best Practices
Secure Administrative Access using AAA
Server-Based AAA Authentication
Local AAA Authentication
1. Client establishes a connection with 1. Client establishes a connection with
the router. the router.
2. AAA router prompts the user for 2. AAA router prompts the user for a
username and password. username and password.
3. Router authenticates the username 3. The router authenticates the
and password using the local username and password using a
database, and allows user access. remote AAA server.
The AAA router uses Terminal Access
Controller Access Control System
(TACACS+) or Remote Authentication
Dial-In User Service (RADIUS) protocol
to communicate with the AAA server.
Note: Authentication, Authorization, and
Accounting , also pronounced “triple-A”
(AAA).

H.Swaih 40

20
 9/3/2024

LAN Security Best Practices
Secure Administrative Access using AAA
you can think of AAA in the following manner:
Authentication: Who is the user?
Authorization: What is the user allowed to do?
Accounting: What did the user do? (I.e. tracking user activity on the network).

As an example, a network administrator can have several methods to manage
users who might try to log in to a switch to perform some operation.

At the most basic level, you could authenticate users with simple passwords
that are configured on the switch console and VTY lines.
Authorization could be equally simple: when users successfully log in, they are
authorized for EXEC level privileges.
By entering the correct enable secret password, users could be authorized for a
higher privilege level.

H.Swaih 41

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

The client establishes a
connection with the router.

R1>
Establish SSH connection

H.Swaih 42

21
 9/3/2024

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

R1>

Username / Password please …

The AAA router
router prompts
grants user
the
EXECuser for atousername
access the remote
and password.
user.

H.Swaih 43

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

Client enters
username and
password.

R1>
ADMIN / cisco123

RADIUS or TACACS+

H.Swaih 44

22
 9/3/2024

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

The AAA router forwards the
authentication request to the
AAA server

ADMIN / cisco123

H.Swaih 45

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

R1>

RADIUS or TACACS+

Pass!

The AAA server either
accepts or rejects the
authentication credentials.

H.Swaih 46

23
 9/3/2024

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication

R1>

Router>

The AAA router grants user
EXEC access to the remote
user.

H.Swaih 47

LAN Security Best Practices
Secure Administrative Access using AAA

Server-Based AAA Authentication
The AAA router and AAA server communicate using either
the:
The -AAA
RADIUS router
Remote forwards the Dial-In User Service
Authentication
authentication request to the
protocol
AAA server
TACACS+ - Terminal Access Controller Access Control System
protocol
R1>

RADIUS or TACACS+

H.Swaih 48

24
 9/3/2024

LAN Security Best Practices
Secure Device Access using 802.1X
Port-Based Authentication
AAA is great for administrative access.
– What about user access?

AAA can also be configured to use the IEEE 802.1X standard.

802.1X defines a port-based access control and authentication
protocol that restricts unauthorized workstations from connecting
to a LAN.
– Each workstation must be authenticated before providing any
services.
– Workstation is only allowed to communicate using the
Extensible Authentication Protocol over LAN (EAPOL).
– Once authenticated, normal traffic is permitted through the
port. H.Swaih 49

LAN Security Best Practices
Secure Device Access using 802.1X
IEEE 802.1X standard defines a port-based access control and
authentication protocol.
– Restricts unauthorized workstations from connecting to a LAN.
– The authentication server authenticates each workstation connected
to a switch port before making any services available.

H.Swaih 50

25
 9/3/2024

Port-Based Authentication 4
The Authenticator is an intermediary (proxy)
between the client (Supplicant) and the The RADIUS security system with EAP extensions is
Authentication Server. the only supported authentication server.
They request identifying information from Because the switch acts as the proxy, the
the client, verifying that information with the authentication service is transparent to the client.
authentication server, and relaying a
response to the client. 6
2
The Authenticator is the switch that
controls physical access to the network
Supplicant
based on the authentication status of 3
1 the client. The switch uses a RADIUS
Supplicants are hosts, running 802.1X- software agent, which is Authentication
RADIUS

compliant client software. Authenticator responsible for Server
They request access to the LAN and encapsulating and de-
respond to requests from the switch. encapsulating the EAP
frames and interacting
Supplicant
with the authentication
5
server. The Authentication server validates
the identity of the client and
notifies the switch whether the
client is authorized to access the
LAN and switch services

The EAP (Extensible Authentication Protocol) extensions to RADIUS add support for
various authentication methods beyond the basic RADIUS protocol. EAP provides a
framework that allows different authentication mechanisms to be used, such as
passwords, digital certificates, smart cards, and biometrics
H.Swaih 51

IEEE 802.1X Configuration Example
Configuring a Cisco switch to use RADIUS authentication for port-based access
control

S1(config)# aaa new-model
S1(config)#
S1(config)# radius server CCNAS
S1(config-radius-server)# address ipv4 10.1.1.50 auth-port 1812 acct-
port 1813
S1(config-radius-server)# key RADIUS-Pa55w0rd between sw and server
S1(config-radius-server)# exit
S1(config)#
S1(config)# aaa authentication dot1x default group radius
S1(config)# dot1x system-auth-control
S1(config)#
S1(config)# interface F0/1
S1(config-if)# switchport mode access
S1(config-if)# authentication port-control auto
S1(config-if)#

26
 9/3/2024

IEEE 802.1X Configuration Example
the commands and their functions:
1. Global Configuration:
aaa new-model: Enables AAA (Authentication, Authorization, and Accounting)
feature on the switch.
radius server CCNAS: Defines a RADIUS server named "CCNAS".
address ipv4 10.1.1.50 auth-port 1812 acct-port 1813 : Sets the IP address and
port numbers for the RADIUS server for authentication and accounting.
key RADIUS-Pa55w0rd : Sets the shared secret key used for communication
between the switch and the RADIUS server.
2. AAA Authentication Configuration:
aaa authentication dot1x default group radius : Specifies that the default
authentication method for 802.1X is RADIUS.
dot1x system-auth-control : Enables system authentication control for 802.1X.
3. Interface Configuration:
interface F0/1: Configures the interface F0/1.
switchport mode access : Sets the interface mode to access mode.
authentication port-control auto : Enables automatic port control for 802.1X
authentication.

IEEE 802.1X Configuration Example

27
 9/3/2024

SNMP

H.Swaih 55

SNMP Operation
Introduction to SNMP
Simple Network Management
Protocol (SNMP) enables network
administrators to monitor and
Administrator
manage network nodes.
The SNMP system consists of
three elements:
– SNMP manager- collects
information from an SNMP
agent using the “get” action.
– Changes configurations on an
agent using the “set” action.
– SNMP agents (managed node)
Key Actions
– Management Information Get: Retrieve specific information from
Base (MIB)- stores data and an agent (e.g., CPU load, memory
operational statistics about the usage).
managed device. Set: Modify configurations on the agent
(e.g., changing a device's settings).
H.Swaih 56

28
 9/3/2024

SNMP Operation
SNMP Operation
SNMP agents that reside on
managed devices collect and store
information about the device.
This information is stored by the
agent locally in the MIB.
SNMP manager then uses the
SNMP agent to access information
within the MIB.
SNMP agent responds to SNMP
manager requests as follows:
– Get an MIB variable - The
SNMP agent performs this in
response to a GetRequest-PDU
from the network manager.
– Set an MIB variable - The
SNMP agent performs this in
response to a SetRequest-PDU
from the network manager. H.Swaih 57

SNMP Actions

Get-Request

Get-Next-Request

Get-Bulk-Request
SNMP
Set-Request Agent
SNMP
Manager Response

Trap

Inform-Request

Report To another Manager

H.Swaih 58

29
 9/3/2024

SNMP Actions
SNMP (Simple Network Management Protocol) supports several key actions for
managing network devices. Here are the main SNMP actions:
1. Get
Purpose: Retrieve data from an SNMP agent.
Usage: Used when the SNMP manager needs to access specific information, like
CPU usage or network interface status.
Direct Data Retrieval:
o The Get action allows querying of individual OIDs (Object Identifiers) to
obtain specific information directly from the device.
2. GetNext
Purpose: Retrieve the next object in a MIB (Management Information Base)
structure.
Usage: Useful for walking through tables or collections of data.
MIB Structure:
o MIBs are organized in a tree-like structure with object identifiers (OIDs). Each
OID represents a specific piece of information.
Walking Through Data:
o The GetNext action allows the SNMP manager to retrieve the next OID in the
sequence, making it easy to collect data from tables or lists without knowing
all the OIDs in advance. H.Swaih 59

SNMP Actions
3. Set
Purpose: Modify configurations on an SNMP agent.
Usage: Allows the SNMP manager to change settings like interface status or system
configurations.
Direct Configuration Changes:
o Enables remote management by allowing network administrators to change device
settings without needing physical access.
Variety of Modifiable Settings:
o Common uses include changing interface statuses, modifying routing settings,
adjusting system parameters, and updating access control lists (ACLs).
4. GetBulk
Purpose: Retrieve large amounts of data efficiently.
Usage: Optimizes the retrieval of multiple objects at once, typically used for table-like
structures.
Efficient Data Retrieval:
o Minimizes the number of requests needed to obtain large datasets, reducing network
overhead and improving performance.
Batch Processing:
o Retrieves multiple OIDs in a single request, making it ideal for accessing entire tables
(e.g., interface statistics, IP address tables).
Works with Bulk Retrieval:
o Designed to work with SNMP versions 2c and above, which support bulk data access.
H.Swaih 60

30
 9/3/2024

SNMP Actions
5. Trap
Purpose: Asynchronously send notifications from the agent to the manager.
Usage: Used for alerting the manager about significant events, like device failures or
threshold breaches.
Example: Configured on the agent to send traps to the SNMP manager.
Asynchronous Notifications:
o Traps are sent independently of the SNMP manager's request. This means the
agent can alert the manager about important events without waiting for a
polling request.
6. Inform
Purpose: Similar to traps, but requires acknowledgment from the SNMP manager.
Usage: Ensures that important notifications are received, adding reliability.
Acknowledgment Requirement:
o Unlike traps, which are sent without confirmation, informs need the SNMP
manager to reply back, verifying the receipt of the message.
Improved Reliability:
o Ensures that important notifications are not missed, making it suitable for critical
alerts that require immediate attention.
Uses for Important Events:
o Commonly used for alerts regarding significant events, such as security breaches,
system failures, or threshold violations.
H.Swaih 61

SNMPv1 and SNMPv2 Security Concerns

Traps or notifications are not authenticated or
encrypted.

Trap

Get-Request

Set-Request

Agents can be polled with get requests and accept
configuration changes with set requests (e.g., reboot the
device, send a configuration file, or receive a configuration file)

H.Swaih 62

31
 9/3/2024

SNMP Operation
SNMP Agent Traps
An Network Management
System (NMS) periodically polls
the SNMP agents using the get
request.
Using this process, SNMP can
collect information to monitor
traffic loads and to verify device
configurations of managed
devices.
SNMP agents to generate and
send traps to inform the NMS
immediately of certain events.
– Traps are unsolicited
messages alerting the SNMP
manager to a condition or
event such as improper user
authentication or link status.
H.Swaih 63

SNMP Operation SNMP read-write community
SNMP read-only
SNMPv1 community
and SNMPv2 use strings
SNMP Versions strings can be used to set
community string as passwordsfrom
can be used to get information to
information on an SNMP-enabled
an SNMP-enabled
access router SNMP device.
agents.
device.

All versions use SNMP
managers, agents, and
MIBs, this course focuses
on versions 2c and 3.
A network administrator
must configure the SNMP
agent to use the SNMP
version supported by the
management station.

Community strings are used to authenticate requests made by SNMP managers to agents,
acting as a simple security mechanism.
Lack of Encryption: Community strings are sent in plaintext, making them susceptible to
interception via network sniffing.
Due to security vulnerabilities, it’s advisable to use SNMPv3, which provides enhanced
H.Swaih 64
security features, including authentication and encryption.

32
 9/3/2024

SNMP Operation
Community Strings
SNMPv1 and SNMPv2c use community strings that control access to the MIB.
Two types of community strings:
– Read-only (ro) - Provides access to the MIB variables, but no changes can
be made (i.e. Allows the SNMP manager to retrieve information without
making changes).
– Read-write (rw) - Provides read and write access to all objects in the MIB (
i.e. Permits the manager to read data and modify configurations).

H.Swaih 65

SNMP Operation
Management Information Base Object ID
The MIB defines each variable as an
hierarchical structure known as an
object ID (OID). Object Identifier (OID) tree
– OIDs uniquely identify managed
objects.
– OIDs are organized based on RFC
(Request for Comments) standards
into a hierarchy or tree.
Most devices implement RFC defined
common public variables.
– Vendors such as Cisco can define
private branches on the tree to
accommodate their own variables.
CPU is one of the key resources, it should
be measured continuously.
– An SNMP graphing tool can
periodically poll SNMP agents, and
graph the values.
– The data is retrieved via the snmpget
H.Swaih 66
utility (command-line tool).

33
 9/3/2024

SNMP Operation
Management Information Base Object ID
Breakdown of the OID Tree:
iso (1): This is the root of the OID tree, representing the International Organization for
Standardization (ISO).
org (3): This node represents the ISO's identified organizations.
dod (6): This node represents the U.S. Department of Defense.
internet (1): This node represents the internet domain.
private (4): This node represents private enterprises.
enterprises (1): This node represents enterprises within the private domain.
cisco (9): This node represents Cisco Systems, Inc.
local variables (2): This branch represents local variables defined by Cisco.
interface group (2): This branch represents interface-related variables.
cisco mgmt (9): This branch represents management-related variables.
cisco flash group (10): This branch represents variables related to flash memory on Cisco
devices.
Purpose of OID Trees:
Unique Identification: OIDs provide a unique identifier for each managed object, allowing
network management tools to easily locate and retrieve information about specific
devices and their components.
Hierarchical Structure: The hierarchical structure of OID trees makes it easier to organize
and manage large numbers of managed objects.
Vendor-Specific Extensions: OID trees can be extended by vendors to accommodate their
own proprietary managed objects, ensuring compatibility with different network devices.
H.Swaih 67

SNMP Operation
SNMPv3
SNMPv3 authenticates and encrypts packets over the network to provide secure
access to devices.
SNMPv3 provides three security features:
– Message integrity and authentication - Transmissions from the SNMP
manager to agents (managed nodes) can be authenticated.
– Encryption - SNMPv3 messages may be encrypted to ensure privacy.
– Access control - Restricts SNMP managers to certain actions on specific
portions of data.

H.Swaih 68

34
 9/3/2024

Configuring SNMP
Steps for Configuring SNMP

Basic steps to configuring SNMP:
1. Configure the community string and access level using snmp-
server community string ro | rw command.
2. (Optional) Document the location of the device using the snmp-
server location text command.
– This information can be useful for network administrators to
identify the physical location of the device.
1. (Optional) Document the system contact using the snmp-server
contact text command.
2. (Optional)Use an ACL to restrict SNMP access to NMS hosts
(SNMP managers). Reference the ACL using snmp-server
community string access-list-number-or-name.

H.Swaih 69

Configuring SNMP
Steps for Configuring SNMP

R1(config)# snmp-server community batonaug ro SNMP_ACL
R1(config)# snmp-server location NOC_SNMP_MANAGER
R1(config)# snmp-server contact Wayne World
R1(config)# snmp-server host 192.168.1.3 version 2c batonaug
R1(config)# snmp-server enable traps
R1(config)# ip access-list standard SNMP_ACL
R1(config-std-nacl)# permit 192.168.1.3
H.Swaih 70

35
 9/3/2024

Configuring SNMP
Steps for Configuring SNMP
Community string: The community string "batonaug" is used for authentication to access
SNMP services on R1.
Purpose: This defines a shared secret that must be provided by both the SNMP manager
and agent to establish a secure connection.
The community string "batonaug" acts as a password. Only SNMP managers that know
this string can communicate with R1.
Location: The location of the SNMP manager is set to "NOC_SNMP_MANAGER".
Purpose: Specifies the location of the SNMP manager.
This information is often used for troubleshooting and documentation purposes. In this
case, the location is set to "NOC_SNMP_MANAGER".
Network Operations Center (NOC)
Contact: The contact information for the router is set to "Wayne World".
Purpose: Provides contact information for the person responsible for the SNMP manager.
Host: The IP address of the SNMP manager (192.168.1.3) is configured.
Purpose: This command configures the router to accept SNMP requests from the host
(SNMP manager) with the IP address 192.168.1.3.The version is set to 2c to be used for
communication. The "batonaug" community is used for authentication.
Traps: Trap generation is enabled on R1, allowing it to send notifications about significant
event, such as a device failure or security breach, to the SNMP manager.
Access-list: An access control list (ACL) named "SNMP_ACL" is created to restrict SNMP
access to the specified IP address (192.168.1.3).
H.Swaih 71

Configuring SNMP Kiwi Syslog Server is one of several
Verifying SNMP Configuration solutions that display SNMP output.
The SNMP traps are sent to the SNMP
R1# show snmp
Chassis: FTX1636848Z manager and displayed on the syslog server.
Contact: Wayne World
Location: NOC_SNMP_MANAGER To verify the SNMP configuration use the
0SNMP packets input: show snmp command.
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
19 SNMP packets output:
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
19 Trap PDUs
SNMP Dispatcher:
queue 0/75 (current/max), 0 dropped
SNMP Engine:
queue 0/1000 (current/max), 0 dropped
SNMP logging: enabled
Logging to 192.168.1.3.162, 0/10, 19 sent, 0 dropped
H.Swaih 72

36
 9/3/2024

Configuring SNMP
Verifying SNMP Configuration Use the show snmp community
command to show SNMP
R1# show snmp community community string and ACL
Community name: ILMI information.
Community Index: cisco0
Community SecurityName: ILMI
storage-type: read-only active

Community name: batonaug
Community Index: cisco7
Community SecurityName: batonaug
storage-type: nonvolatile active access-list: SNMP_ACL

Community name: batonaug@1
Community Index: cisco8
Community SecurityName: batonaug@1
storage-type: nonvolatile active access-list: SNMP_ACL

H.Swaih 73

Configuring SNMP
SNMP Best Practices
SNMP can create security
vulnerabilities.
For SNMPv1 and SNMPv2c -
community strings should be strong and
changed frequently.
ACLs should be used to prevent SNMP
messages from going beyond the
required devices and to limit access to
monitored devices.
SNMPv3 is recommended because it
provides security authentication and
encryption.
– The snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}
command creates a new SNMP group on the device.
This allows you to organize users and assign different access levels.
– The snmp-server user username groupname command is used to add a new
user to the group
This enables you to control who has access to SNMP data and what
actions they can perform H.Swaih 74

37
 9/3/2024

Configuring SNMP
Steps for Configuring SNMPv3
Step 1: Configure an ACL to permit access to the protected management network.
Router(config)# ip access-list standard acl-name
Router(config-std-nacl)# permit source_net

Configure a standard ACL that will permit access for authorized SNMP managers.

Step 2: Configure an SNMP view.

Router(config)# snmp-server view view-name oid-tree

Configure an SNMP view to identify which OIDs the SNMP manager will be able to
read, This allows you to restrict access to specific OIDs

H.Swaih 75

Configuring SNMP
Steps for Configuring SNMPv3
Step 3: Configure an SNMP group.
Router(config)# snmp-server group group-name v3 priv read view-
name access [acl-number | acl-name]

Configure the SNMP group and features including name, This step creates a new
SNMP group and assigns it a version (v3), a privacy level (priv), a read-only/ write
view, And filter with ACL.

Step 4: Configure a user as a member of the SNMP group
Router(config)# snmp-server user username group-name v3 auth
{md5 | sha} auth-password priv {des | 3des | aes {128 | 192 |
256}} privpassword

Configure a user with features including username, associates with group, version,
authentication type,and provide encryption type and password. The user uses
SNMPv3 with the specified authentication (MD5 or SHA) and password, as well as
the specified privacy AES and password.
The part of specifying the privacy type as AES (Advanced Encryption Standard)
with a 128-bit, 192 or 256 key and The password is used to encrypt and decrypt
SNMP messages H.Swaih 76

38
 9/3/2024

Configuring SNMP
SNMPv3
Configuration

R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config-std-nacl)# exit
R1(config)# snmp-server view SNMP-RO iso included
R1(config)# snmp-server group ADMIN v3 priv read SNMP-RO access
PERMIT-ADMIN
R1(config)# snmp-server user BOB ADMIN v3 auth sha cisco12345
priv aes 128 cisco05432
Encryption
R1(config)# end

H.Swaih 77

Configuring SNMP
SNMPv3
Configuration

– The example configures a standard ACL named PERMIT-ADMIN.
– It is configured to permit only the 192.168.1.0/24 network.
– All hosts attached to this network will be allowed to access the
SNMP agent running on R1.
– An SNMP view is named SNMP-RO and is configured to include the
entire ISO tree from the MIB.

H.Swaih 78

39
 9/3/2024

Switched Port Analyzer
(SPAN and RSPAN)

H.Swaih 79

SPAN Overview
Port Mirroring
Network traffic passing through ports or VLANs can be analyzed by using switched
port analyzer (SPAN) (I.e. Local SPAN ) or remote SPAN (RSPAN).
– SPAN can send a copy of traffic from one port to another port on the same
switch where a network analyzer or monitoring device is connected.
– RSPAN can send a copy of traffic to a port on a different switch.
SPAN is commonly implemented to deliver traffic to specialized devices including:
– Packet analyzers – Using software such as Wireshark to capture and analyze
traffic for troubleshooting purposes.
– when an IPS/IDS is added to a network
IPS devices need to read all packets in one or more VLANs, and SPAN can
be used to get the packets to the Intrusion Prevention Systems (IPSs)
devices.
IPSs are focused on the security aspect of traffic and are implemented to
detect network attacks as they happen.
IDS only alerts the network administrator when it detects an intrusion. IPS
actively blocks or drops the malicious packets before they reach the target.
IDS is usually placed outside the network perimeter, such as behind a
firewall or a router H.Swaih 80

40
 9/3/2024

SPAN Overview
SPAN Terminology Source (SPAN) port :
A port that is monitored with use of the SPAN feature.
Can be a Layer 2 or Layer 3 port (including VLAN).

Ingress traffic: Egress traffic:
Traffic that enters the switch. Traffic that leaves the switch.

Destination (SPAN) port :
A port that monitors source
ports, usually where a packet
analyzer or IPS is connected. SPAN Session:
The association between source port (or VLAN) and a
destination port (or VLAN).

H.Swaih 81

Configure Local SPAN
A session number is used to identify a local SPAN session
Use monitor session command to associate a source port and a
destination port with a SPAN session.
Configure a SPAN source port.
Switch(config)#

monitor session number source [interface interface-id | vlan vlan-id]

Configure a SPAN destination port.
Switch(config)#
monitor session number destination [interface interface-id | vlan vlan-id]

A VLAN can be specified instead of a physical port.

H.Swaih 82

41
 9/3/2024

Configure SPAN Example

S1(config)# monitor session 1 source interface fa 0/1
S1(config)# monitor session 1 destination interface fa 0/2
S1(config)# exit
S1#

H.Swaih 83

Verifying Local SPAN
 Use the show monitor command to verify the SPAN session. It displays the type of
the session, the source ports for each traffic direction, and the destination port.

S1# show monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
S1#
H.Swaih 84

42
 9/3/2024

Remote Switched Port Analyzer (RSPAN)
Remote SPAN (RSPAN) can copy traffic from ports or VLANs on
one switch (i.e., source switch) to a port on a different switch
(i.e., destination switch).
 RSPAN uses two sessions.
One session is used as the source and one session is used to
copy or receive(destination) the traffic from a VLAN.
The traffic for each RSPAN session is carried over trunk links in
a user-specified RSPAN VLAN
A VLAN must be designated as the RSPAN VLAN and not be used
for any other purposes.

Note:
– SPAN and RSPAN vary by switching platforms.
H.Swaih 85

RSPAN - Example

SW1(config)# vlan 100
SW1(config-vlan)# name SPAN-VLAN Note:
SW1(config-vlan)# remote-span RSPAN VLAN
SW1(config)# monitor session 2 source interface Fa0/7 numbers must
SW1(config)# monitor session 2 destination remote vlan 100
match on both
switches.
Session numbers
do not need to
match.

SW2(config)# vlan 100
SW2(config-vlan)# name SPAN-VLAN
SW2(config-vlan)# remote-span
SW2(config)# monitor session 3 destination interface Fa0/8
SW2(config)# monitor session 3 source remote vlan 100

H.Swaih 86

43
 9/3/2024

Verifying RSPAN - Example

SW1# show monitor
Session 2
---------
Type : Remote Source Session
Source Ports :
Both : Fa0/7
Dest RSPAN VLAN : 100

SW2# show monitor
Session 3
---------
Type : Remote Destination Session
Source RSPAN VLAN : 100
Destination Ports : Fa0/8
Encapsulation : Native
Ingress : Disabled

H.Swaih 87

SPAN as a Troubleshooting Tool
Troubleshooting with SPAN Overview
 SPAN allows administrators to
troubleshoot network issues.
To investigate a slow
network application, a
network administrator can
use SPAN to duplicate and
redirect traffic to a packet
analyzer such as Wireshark.
Older systems with faulty
NICs can also cause issues. If
SPAN is enabled a network
technician can detect and
isolate the end device
causing the problem.

44