Admin Guide - Network Problems and Solutions

Introduction

Examined Network Problems and Solutions:

🔒 1. MAC Address Spoofing

Network Layer Data Link Layer (L2)

Packet Tracer Files:

MAC Address Spoofing is an attack method that allows an attacker in a network environment to appear as an authorized device by spoofing the MAC address of another device. Such attacks violate network security by manipulating the MAC address learning mechanism of switches.

Technical Cause(s):

• If Port Security is not configured on the switch, devices can change MAC addresses through ports.

• If the switch does not keep the learned MAC address as sticky, the attacker can trick the port with a fake address.

• If advanced security measures such as 802.1X, DHCP Snooping, Dynamic ARP Inspection are not used in the network, it is open to such spoofing attacks.

🛠️ Solution Steps:

MAC spoofing can be prevented by configuring Port Security + Sticky MAC to the relevant ports on Cisco switches.

📌 Step 1: Put Port in Access Mode

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access

📌 Step 2: Enable Port Security

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation restrict
Switch# write memory

• maximum 1: allows only one device.

• mac-address sticky: automatically learns and saves the MAC address.

• violation restrict: blocks traffic without closing the port if another MAC is detected.

📌 Step 3: Viewing Port Security Status

Switch# show port-security interface FastEthernet0/1

✅ Result:

When Port Security and Sticky MAC configuration is applied:

• The switch only allows traffic to the port from the first learned MAC address.

• Other addresses coming with MAC spoofing are automatically blocked.

• Unauthorized access to the network and damage by fake devices are prevented.

🌐 2. DHCP Scope Exhaustion

Network Layer Network Layer (L3)

Packet Tracer Files:

• DHCP_scope_exhaustion.pkt

• DHCP_scope_exhaustion_fixed_submask.pkt

DHCP Scope Exhaustion is when the IP address pool of the DHCP server is exhausted. This can occur either because a malicious attacker sends fake DHCP Discover packets (DHCP starvation attack) or because the number of devices on the network exceeds the pool. As a result, new devices cannot be assigned IP addresses and cannot access the network.

Technical Cause(s):

• The address block defined in the DHCP pool may be small (for example: /28 → only 14 devices).

• A large number of devices outside the address range defined for DHCP may be trying to connect.

• An attacker may be obtaining all IP addresses by sending fake DHCP Discover packets.

• If the network lacks protection mechanisms such as DHCP Snooping, such attacks can easily occur.

🛠️ Solution Steps:

📌 Step 1: Expand IP Pool

The problematic configuration may have used a small subnet. Reconfigure with a larger subnet as below:

📌 Step 2: Define Multiple DHCP Pools if Required

If the network is partitioned, you can use a separate DHCP pool for each VLAN:

Switch# ip dhcp pool GENISHAVUZ
 Switch(config)#network 10.10.10.0 255.255.255.0
 Switch(config)#default-router 10.10.10.1

🚨 3. Rogue DHCP Server

Network Layer Network Layer (L3)

Packet Tracer Files:

• rogue_dhcp.pkt (problematic scenario)

• rogue_dhcp_fixed.pkt (solved scenario)

Rogue DHCP Server is when an unauthorized device (usually an attacker's computer or a misconfigured router) distributes IP addresses to the network pretending to be a DHCP server. This device can route network traffic or monitor users by sending incorrect network settings (e.g. wrong gateway, DNS) to clients.

Technical Cause(s):

• A device on the network is running the DHCP service in an unauthorized manner.

• DHCP Snooping feature is disabled on switches.

• DHCP messages are forwarded to all ports, so clients accept whatever server they receive a response from.

• The boundaries of the network (e.g. secure/vulnerable ports) are not defined.

🛠️ Solution Steps:

📌 Step 1: Enable DHCP Snooping

Allow only authorized DHCP servers to be used:

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 1

📌 Step 2: Only Allow Trusted Ports

Only the port to which the authorized DHCP server is connected is trusted:

Switch(config)# interface FastEthernet0/1
Switch(config-if)# ip dhcp snooping trust

All client ports should be insecure (they are already insecure by default):

Switch(config)# interface range FastEthernet0/2 - 24
Switch(config-if-range)# no ip dhcp snooping trust

📌 Step 3: Check DHCP Snooping Status

Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding

Result:

• Now only DHCP responses from designated (trusted) ports are accepted.

• Fake DHCP servers cannot issue IPs to clients.

• No network confusion, stable internet connection.

• DHCP security is increased.

🔑 4. OSPF Authentication Key Mismatch

Network Layer Network Layer (L3)

Packet Tracer Files:

• ospf_key_mismatch.pkt (problematic scenario)

• ospf_key_mismatch_fixed.pkt (solved scenario)

OSPF (Open Shortest Path First) is an Interior Gateway Protocol used to share routing information between routers. The OSPF authentication mechanism allows only routers whose passwords match to establish adjacency. When the keys do not match, OSPF adjacency cannot be established and routing fails.

• No OSPF adjacency is established between routers.

• Theshow ip ospf neighbor command returns an empty list.

• The routing information of the neighbor router does not appear in theshow ip route output.

Technical Cause(s):

• OSPF Authentication is active between two routers but the key values do not match.

• OSPF encryption type (e.g. MD5) is defined on one router but not on the other.

• Routers are in the same area but configured with different password or key-id.

🛠️ Solution Steps:

📌 Step 1: Make Sure Authentication is Enabled in OSPF

Authentication on OSPF is configured on both routers as follows:

Router(config)# interface FastEthernet0/0
Router(config-if)# ip ospf authentication message-digest

📌 Step 2: Configure the correct MD5 Key

Both routers must use the same key-id and key-string:

Router(config-if)# ip ospf message-digest-key 1 md5 Alperen123

• 1: is the key ID and must be identical.

• Alperen123: is the common password, it must match exactly.

📌 Step 3: Check OSPF Configuration

Router# show ip ospf interface FastEthernet0/0
Router# show ip ospf neighbor

Result:

• OSPF neighborhood is established because the routers now use the same authentication key.

• The routing tables are updated.

• The network automatically calculates the shortest path and the transmission goes smoothly.

🧩 5. VLAN Misconfiguration

Network Layer Data Link Layer (L2)

Packet Tracer Files:

• vlan_misconfig.pkt (problematic scenario)

• vlan_misconfig_fixed.pkt (solved scenario)

AVLAN (Virtual Local Area Network) configuration error occurs when VLANs are incorrectly assigned on the switch or access ports are not included in the appropriate VLAN. As a result, devices that think they are in the same VLAN cannot communicate with each other.

• Two clients on the same switch cannot ping each other.

• Network segments become isolated from each other, communication cannot be provided.

• In theshow vlan brief command, the ports to which the devices are connected may be assigned to different VLANs.

• If the DHCP server is in another VLAN, the client cannot receive IP.

Technical Cause(s):

• Access ports may be assigned to the wrong VLAN.

• The relevant VLAN may not be created on the switch.

• Trunk ports may not be carrying the VLAN.

• There may be a lack of subinterface or encapsulation error in the router-on-a-stick configuration.

🛠️ Solution Steps:

📌 Step 1: Create VLANs

First make sure that VLANs are defined:

Switch(config)# vlan 10
Switch(config)# name Finance
Switch(config)# vlan 20
Switch(config)# name HR

📌 Step 2: Assign Ports to the Correct VLAN

Include the port to which each device is connected to the relevant VLAN:

Switch(config)# interface FastEthernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

📌 Step 3: Make Sure Trunk Ports Carry VLANs

If there is a trunk connection between the two switches, the relevant VLANs must be passing over the trunk:

Switch(config)# interface FastEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20

📌 Step 4: Verify VLAN Status

Switch# show vlan brief
Switch# show interfaces trunk

Result:

• Devices assigned to the same VLAN can now see each other.

• Network access is provided.

• VLANs are transported over the trunk connection.

• DHCP or gateway access works properly.

🔁 6. STP Loop (Switching Loop)

Network Layer Data Link Layer (L2)

Packet Tracer Files:

• stp_loop_problem.pkt (problem scenario)

• stp_loop_fixed.pkt (solved scenario)

Switches are Layer 2 devices and do not do routing. When there is a loop connection between multiple switches, the same ethernet frame can continuously travel through the network, creating a broadcast storm. This causes the entire network to crash, CPU utilization skyrockets and devices become unreachable.

• The lights of all switches start blinking rapidly.

• All devices connected to the network cannot respond to the ping.

• MAC tables may be constantly changing when viewed with theshow mac address-table command.

• The network connection is completely lost over time.

Technical Cause(s):

• There are connections between two or more switches that form a loop.

• STP (Spanning Tree Protocol) is disabled or misconfigured.

• All ports are operating in forwarding mode (none are blocked).

• Root Bridge selection was not done manually and an inappropriate switch is the root.

Solution Steps:

📌 Step 1: Make Sure STP is Enabled

STP is enabled by default in Cisco IOS, but check anyway:

Switch# show spanning-tree

If STP is not active, re-enable it:

Switch(config)# spanning-tree vlan 1

📌 Step 2: Manually Determine Root Bridge (Recommended)

It is recommended that the most central switch in the network is the root. For this, the root bridge is given a low priority value:

Switch(config)# spanning-tree vlan 1 priority 4096

Default priority: 32768

A lower value makes it root.

📌 Step 3: Remove / Block Unnecessary Connections (Workaround)

Temporarily close the connection causing the loop:

Switch(config)# interface FastEthernet0/24
Switch(config-if)# shutdown

📌 Step 4: Monitor STP Status

Switch# show spanning-tree vlan 1

This command shows which ports are in forwarding mode and which are in blocking mode.

Conclusion:

• When STP is enabled, the network loop is automatically blocked.

• The broadcast storm ends, the network connection becomes healthy again.

• Network performance improves and access returns to normal.

🔐 7. Port Security Violation

Network Layer Data Link Layer (L2)

Packet Tracer Files:

• port_security_violation.pkt (problematic scenario)

• port_security_fixed.pkt (solved scenario)

Port Security is a security measure that allows only certain devices (MAC addresses) to connect to each port on the switch. When this feature is enabled, when an undefined MAC address is connected to the port, the switch can close the port (shutdown), drop packets, or simply generate logs.

This feature is used to prevent unauthorized users from physically accessing the network. However, if configured incorrectly, it can cause connectivity problems on the network.

• When a new computer is connected, it cannot access the network.

• The switch port becomes err-disabled.

• Security violation messages are seen inshow port-security and show interfaces status commands.

• The lights may be off or the connection may appear "down".

Technical Cause(s):

• Port security is turned on, but a different MAC address is connected.

• The maximum number of MAC addresses has been exceeded.

• The action to be taken in case of a security breach is set to "shutdown".

• Dynamic MAC address learning was done, but when the device changed, the new address caused problems.

Solution Steps:

📌 Step 1: Check Port Security Setting

Switch# show port-security interface FastEthernet0/1

Here you can see the port status(Secure-shutdown, Secure-active), registered MAC addresses and violation status.

📌 Step 2: Reconfigure Port Security

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

Description

• maximum 1: Allows only 1 MAC address.

• violation restrict: Only drops packets in violation, does not close the port.

• mac-address sticky: Automatically learns and records the MAC address of the first connected device.

📌 Step 3: Reactivate the Port (If Shutdown)

Switch(config)# interface FastEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Conclusion:

• Now only authorized devices can connect to this port.

• When a new device connects, if it is not authorized, the port does not close, it rejects packets (restrict).

• Network security increases, switch takes physical security under control.

🌐 8. Inter-VLAN Routing Failure

Network Layer Network Layer (L3)

Packet Tracer Files:

• intervlan_routing_problem.pkt (problem scenario)

• intervlan_routing_fixed.pkt (solved scenario)

Since switches are Layer 2 devices, they cannot perform routing between different VLANs. A Layer 3 device (router or L3 switch) is required to communicate between VLANs. If the router-on-a-stick (VLAN routing with sub-interfaces on the router) is misconfigured, communication between VLANs is completely cut off.

• Clients in different VLANs cannot ping each other.

• All devices can communicate in their own VLAN, but cannot communicate with external VLANs.

• A timeout is received when pinging the default gateway.

• Routes between VLANs are not visible inshow ip route output.

Technical Cause(s):

• Router subinterfaces are not created.

• Encapsulation dot1Q command is missing or wrong VLAN ID is entered on subinterfaces.

• The port to the router on the switch is not set as trunk.

• The default gateway of the clients is wrong.

Solution Steps:

📌 Step 1: Configure Trunk Port on Switch

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode trunk

The port to which the router is connected must be trunk.

📌 Step 2: Create Subinterfaces on the Router

Router(config)# interface FastEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface FastEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

A subinterface must be defined for each VLAN.

📌 Step 3: Give Clients the Right Default Gateway

For clients on VLAN 10:

Default Gateway: 192.168.10.1

For VLAN 20:

Default Gateway: 192.168.20.1

📌 Step 4: Test

PC1 > ping 192.168.20.10

Routing is successful if the devices can ping despite being on different VLANs.

Conclusion:

• With router-on-a-stick, devices in different VLANs communicate with each other.

• Network segmentation is maintained, but the necessary routing is provided.

• Services such as DHCP relay also work correctly.

📡 9. DHCP Conflict or Failure

Network Layer Network Layer (L3)

Packet Tracer Files:

• dhcp_failure_problem.pkt (problem scenario)

• dhcp_failure_fixed.pkt (resolved scenario)

DHCP (Dynamic Host Configuration Protocol) allows clients to obtain IP addresses and other network information automatically. However, when the DHCP server is misconfigured or conflicts occur, clients receive automatic IP (APIPA)or are disconnected.

• Clients receive APIPA (Automatic Private IP Addressing) addresses such as 169.254.x.x.

• Ping does not work, there is no network access.

• Devices in the VLAN to which the DHCP server is connected can receive IP while others cannot.

• IP cannot be obtained with theipconfig /renew command.

• When the client is clicked in Packet Tracer, the IP address writes "DHCP Failed".

Technical Cause(s):

• DHCP server is connected to the wrong VLAN.

• DHCP Relay Agent (ip helper-address) is not configured on the router.

• The IP range of the DHCP pool is incorrect or exhausted.

• DHCP services are disabled.

• Two DHCP servers are running on the same network and there is a conflict.

Solution Steps:

📌 Step 1: Check if the DHCP Server is connected to the correct VLAN

The DHCP server must be on the same VLAN as the clients or ip helper-address must be defined if there is routing in between.

📌 Step 2: Create DHCP Pool

Create the DHCP pool on the router as follows:

Router(config)# ip dhcp pool VLAN10
Router(dhcp-config)# network 192.168.10.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.10.1
Router(dhcp-config)# dns-server 8.8.8.8
Router(dhcp-config)# lease 1

Router(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10

📌 Step 3: Add ip helper-address for DHCP Access from Outside VLAN

If the client is in another VLAN and DHCP is in another VLAN:

Router(config)# interface FastEthernet0/0.20
Router(config-if)# ip helper-address 192.168.10.5

The IP address here is the IP of the DHCP server.

📌 Step 4: Check DHCP Status

Router# show ip dhcp binding
Router# show ip dhcp pool

On the client

ipconfig /renew

Outcome:

• All clients get the correct IP addresses.

• APIPA addressing is eliminated.

• Network services work properly (DNS, gateway, etc.).

• Different VLANs can receive IP thanks to DHCP routing(helper-address).

🚫 10. Access Control List (ACL) Misconfiguration

Network Layer Network Layer (L3)

Packet Tracer Files:

• acl_misconfig_problem.pkt (problem scenario)

• acl_misconfig_fixed.pkt (solved scenario)

ACLs are used to block or allow specific network traffic. However, a misconfigured ACL can also block the desired traffic, causing communication problems between devices.

For example, an ACL written in the wrong order or a blanket deny rule can shut down the entire network.

• Devices cannot ping each other.

• Services such as Web/DNS/FTP are not accessible.

• Theshow access-lists output indicates that too much traffic is blocked.

• No client can access specific ports or networks.

Technical Cause(s):

• Permit was mistakenly replaced by deny.

• The order of the rules is incorrect (ACLs work from top to bottom).

• ACL applied to the correct interface but in the wrong direction (inbound/outbound).

• By default, all ACLs have an invisible deny any rule at the end.

• The source or destination IP addresses are incorrectly defined.

🛠️ Solution Steps:

📌 Step 1: Check ACL Content

Router# show access-lists

The order and type of rules written here should be examined.

📌 Step 2: Check Interface and Direction

Router# show run | include access-group

Check which ACLs are connected to the interfaces in the in or out direction.

Router(config)# interface FastEthernet0/0
Router(config-if)# ip access-group 101 in

📌 Step 3: Edit or Delete and Recreate ACL

Example of a numbered ACL :

Router(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Router(config)# access-list 101 deny ip any any

Stepped configuration (named ACL):

Router(config)# ip access-list extended BLOCK_WEBSITES
Router(config-ext-nacl)# deny tcp any any eq 80
Router(config-ext-nacl)# permit ip any any

📌 Step 4: Test ACL

• Attempted access to the website from clients.

• A ping test verifies which traffic is being passed or blocked.

Result:

• ACLs now work correctly, blocking only unwanted traffic.

• Network security is maintained but communication is not interrupted.

• Clients get controlled access to certain services.