7.15. Analyze Trunk Port Status

This job aims to ensure the integrity and security of trunk ports within the network infrastructure by identifying and addressing potential anomalies or security risks, such as unauthorized devices connected to trunk ports.

The process consists on the following phases:

  1. When a syslog event indicating a linkup is received.

  2. Determine if the port is configured as a trunk port based on parameters specified in the configuration file.

  3. Trigger the transmission of a job to the Core using a script defined within the configuration file.

To ensure the proper functioning of this workflow, it is essential to apply the configurations outlined in the following section.

7.15.1. Aggregator configuration

To enable the execution of the job, from the aggregator node, execute the following steps:

  1. Enable the “external_syslog” pipeline in the /etc/logstash/pipelines.yml file:

- pipeline.id: external_syslog
  path.config: "/etc/logstash/external_syslog/conf.d/*.conf"

  1. Open UDP port 5003 in the iptables firewall by adding the following line to the /etc/sysconfig/iptables file:

-A INPUT -p udp -m state --state NEW -m udp --dport 5003 -j ACCEPT

  1. Configure the properties flags defined in the /etc/default/opennac file as follows:

SYSLOG_PARSE_SWITCH_TRUNK_PORT="true"
SYSLOG_SWITCH_TRUNK_PORT_LIST="[1,48]"
SYSLOG_SWITCH_TRUNK_PORT_COMMAND="/usr/share/opennac/aggregator/scripts/switch_trunk_port_cmd.sh"

  1. To test the configuration, use sample syslog messages from the network device:

Sample syslog message:

1 1705934333.933893979 SWCXB09768_00_01 events port 48 status changed from down to 1Gfdx

Send the syslog from an external IP to the Aggregator (in this case, 10.20.30.100):

echo "1 1705934333.933893979 SWCXB09768_00_01 events port 1 status changed from down to 1Gfdx" | nc -4u -w1 10.20.30.100 5003

7.15.1.1. Job execution logic

  1. MAC Retrieval: Initially, the job retrieves the MAC list related on port.

  2. Identification of Network Devices: Valid network devices connected to the ports are identified based on their MAC addresses and a predefined MAC vendor list.

  3. IP Retrieval: The IP addresses associated with the identified MAC addresses are retrieved from the network gateway’s ARP table.

  4. Validation of Network Devices: Each identified network device is validated by checking specific properties, such as connecting via SNMP using corporate credentials.

  5. Analysis of Results: The results are analyzed based on the following criteria:

    • If no MAC addresses are found on the port, an alert is sent.

    • If no valid network devices are found on the port, an alert is sent.

    • If a MAC address is related to a network device but it is not available with corporate credentials, an alert is sent.

Example of alert messages:

  • Network device is not a known corporate network device

  • MACs not found in switch port

  • Error retrieving ARP information on firewall

7.15.2. Network Devices Syslog Dashboard

Finally, after the syslog messages were parsed and sent to the Core, you can visualize the data retrieved on the Network Devices Syslog Dashboard.