How to Control MAC Address Flooding With SolarWinds

As monitoring engineers the tech team at Prosperon always face new challenges when SolarWinds® users ask us how to deal with specific issues or security threads that occur on their network. As an example, one of them asked us how we could monitor if there was a Mac Address flood attack on their network.

In order to alert us to flooding attacks we needed to be able to monitor the available MAC address table spaces from the MAC address table, we thought first to utilise SNMP but this is not usually available in the SNMP MIB files of many devices so we had to think outside the box….

The second thought we had was to try to mimic the way we monitor this metric in real world. The way we normally do it is by executing a command in the CLI which returns this value.

For example, for Cisco IOS devices this would be: show mac address-table count.

Now that we have found a way to get the total number of MAC address spaces available in a network device, a new question pops up – how can we monitor this number in an automated manner? The answer to that question is: by using SolarWinds Server and Application Monitor(SAM).

SAM is a tool that allows us to use different protocols (WMI, FTP, HTTP, DNS, SSH…) in order to monitor servers, network devices and applications, and one of the main means to monitor these is to use Powershell scripts.

PowerShell is a command-line shell created for system administrators that includes an interactive prompt and a scripting environment that can be used independently or in combination. It is built on top of the .NET Framework Common Language Runtime (CLR) and the .NET Framework, and accepts and returns .NET Framework objects. In English, this means by using PowerShell you can get any information you need almost instantly.

SOLUTION

In order to monitor the total number of MAC address spaces available Prosperon have created a PowerShell script that performs the following steps:

• connects to a network device using SSH
• executes the command that displays the number of available MAC addresses in the MAC address table
• parses the output in order to extract  the number of MAC address spaces available.
• return this value to SolarWinds SAM and stores it in the database

Once we have this value we can use any of the SolarWinds features such as alerting, reporting, views or even maps to display or alert on this metric.

The script also contains other metrics configured which monitor the number of used MAC addresses per vlan (up to 9 vlans).

PROBLEM SOLVED!

Once we have applied this template in our SolarWinds installation, we will gather MAC address table spaces available and SolarWinds will email us an alert every time there is a potential MAC flooding attack.

As you can figure out, this method to pass outputs generated by CLI commands is extremely flexible and allows you to monitor different elements of your network that any other monitoring method can.