Using The Mac Address Finder; Using Alarms To Monitor Potential Security Issues - Extreme Networks Ridgeline Guide Manual

Managing Network Security

Using the MAC Address Finder

You may need to track down a specific host on your enterprise network. This host may be involved in
malicious activity, be a compromised source for virus infections, be using excessive bandwidth, or have
network problems. Ridgeline provides the IP/MAC Address Finder tool to locate any MAC address on
your network.
Ridgeline provides two ways to find a MAC address in your enterprise network.
If you have MAC Address Polling enabled, you can use a database search that searches the MAC FDB
information learned by Ridgeline's MAC Address Poller. The MAC Address Poller maintains a database
on the Ridgeline server of all MAC addresses associated with edge ports. An edge port is identified by
the absence of Extreme Discovery Protocol (EDP) or Link Layer Discovery Protocol (LLDP) packets on a
port. You can additionally disable MAC Address Polling on specific ports and switches. This is useful
for disabling polling on trunk ports on third-party switches (which Ridgeline will identify as edge ports,
as they do not use EDP or LLDP).
The MAC Address Poller determines the set of MAC address on the edge ports via the FDB database on
the switch. It also keeps track of the IP address(es) associated with the MAC address using the IP ARP
cache on the switch. The database search is faster than the network search, although the database may
be less up to date, as a full MAC address poll cycle can take a reasonably long time. However, if you
want to identify the switch port where the host is connecting to the network, then a database search has
the advantage of automatically ignoring trunk ports.
Ridgeline also provides a full network search to search the forwarding database (FDB) and IP ARP
cache on selected switches. A network search has the advantage of searching the most up to date source
of data. However, the network search is slower because it must contact each switch directly. It also does
not always report the correct IP address associated with a MAC address/VLAN port when the MAC
address is mapped to multiple IP address on the switch.
If you want to determine how a MAC address is propagating through the network aggregation layer,
you should use a network search.

Using Alarms to Monitor Potential Security Issues

The Ridgeline Alarm Manager allows you to create custom alarm conditions on any supported MIB
object known to Ridgeline. Using the Alarm Manager, you can set up alarms for alerting you to critical
security problems within your network. An example of this would be creating an alarm to notify you of
a potential Denial of Service (DoS) attack.
A DoS attack occurs when a critical network or computing resource is overwhelmed so that legitimate
requests for service cannot succeed. In its simplest form, a DoS attack is indistinguishable from normal
heavy traffic. Extreme Networks switches are not vulnerable to this simple attack because they are
designed to process packets in hardware at wire speed. However, there are some operations in any
switch or router that are more costly than others, and although normal traffic is not a problem,
exception traffic must be handled by the switch's CPU in software.
Some packets that the switch processes in the CPU software include:
Learning new traffic
●
Routing and control protocols including ICMP, BGP and OSPF
●
Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.)
●
196
Ridgeline Concepts and Solutions Guide