Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Audit of large Cisco Network (http://www.velocityreviews.com/forums/t37603-audit-of-large-cisco-network.html)

me@home.com 02-08-2005 10:41 AM

Audit of large Cisco Network
 
Hi All,

Apologies if this is the wrong place to post this. Please let me know
which newsgroup would be more appropriate if this isnt the one.

We have a number of large Cisco networks. Not all are interconnected.
Mostly they are a dozen or so big networks.

Approximately 40,000-90,000 devices depending on who you ask. (By
device I mean cards or chassis).

We wish to run an audit, to identify more accurately what is out
there.

From the audit we wish to gather info such as:

- Number of devices
- Type of devices
- Serial Number of devices
- Age (?) of devices (eg manufacturing date or similar)
- Software version on devices

By devices I mean chassis and (if applicable) cards as well.

and so on.

The networks are in general behind a good firewall, so sweeping the
full IP range should be OK in general.

The aim is to as accurately as possible sweep each of our networks to
determine what we have in them. From this we will more accurately know
what we have that needs supporting.

Anyone know of any software that can do this? And any large
international companies that may have consultants that are able to be
hired to do this?

I am not in the US, so if you recommend a specific company please make
it a large international company, other than Cisco!

Also any info you have on this being done in other companies would be
appreciated. Such as how long it would take etc. Assume 90,000
cards/chassis and a 20 separate networks.

Thanks for your help....its quite a task thats needed!







Mats Bredell 02-08-2005 04:19 PM

Re: Audit of large Cisco Network
 
me@home.com wrote:

> Hi All,
>
> Apologies if this is the wrong place to post this. Please let me know
> which newsgroup would be more appropriate if this isnt the one.
>
> We have a number of large Cisco networks. Not all are interconnected.
> Mostly they are a dozen or so big networks.
>
> Approximately 40,000-90,000 devices depending on who you ask. (By
> device I mean cards or chassis).
>
> We wish to run an audit, to identify more accurately what is out
> there.
>
> From the audit we wish to gather info such as:
>
> - Number of devices
> - Type of devices
> - Serial Number of devices
> - Age (?) of devices (eg manufacturing date or similar)
> - Software version on devices
>
> By devices I mean chassis and (if applicable) cards as well.
>
> and so on.
>
> The networks are in general behind a good firewall, so sweeping the
> full IP range should be OK in general.
>
> The aim is to as accurately as possible sweep each of our networks to
> determine what we have in them. From this we will more accurately know
> what we have that needs supporting.
>
> Anyone know of any software that can do this? And any large
> international companies that may have consultants that are able to be
> hired to do this?
>
> I am not in the US, so if you recommend a specific company please make
> it a large international company, other than Cisco!
>
> Also any info you have on this being done in other companies would be
> appreciated. Such as how long it would take etc. Assume 90,000
> cards/chassis and a 20 separate networks.
>
> Thanks for your help....its quite a task thats needed!


It's not particularly difficult to do, just have a programmer write some Tcl
scripts. I've done this as a subcontractor at IBM, the tools I developed
can easily extract data from around 5,000 devices per hour. The difficult
task, which takes most time, is getting working passwords to the devices.

/Mats

--
Mats Bredell
Uppsala, Sweden

SysAdm 02-08-2005 06:37 PM

Re: Audit of large Cisco Network
 

"Mats Bredell" <mats@bredell.net> wrote in message
news:FE5Od.129886$dP1.464767@newsc.telia.net...
> me@home.com wrote:
>
> > Hi All,
> >
> > Apologies if this is the wrong place to post this. Please let me know
> > which newsgroup would be more appropriate if this isnt the one.
> >
> > We have a number of large Cisco networks. Not all are interconnected.
> > Mostly they are a dozen or so big networks.
> >
> > Approximately 40,000-90,000 devices depending on who you ask. (By
> > device I mean cards or chassis).
> >
> > We wish to run an audit, to identify more accurately what is out
> > there.
> >
> > From the audit we wish to gather info such as:
> >
> > - Number of devices
> > - Type of devices
> > - Serial Number of devices
> > - Age (?) of devices (eg manufacturing date or similar)
> > - Software version on devices
> >
> > By devices I mean chassis and (if applicable) cards as well.
> >
> > and so on.
> >
> > The networks are in general behind a good firewall, so sweeping the
> > full IP range should be OK in general.
> >
> > The aim is to as accurately as possible sweep each of our networks to
> > determine what we have in them. From this we will more accurately know
> > what we have that needs supporting.
> >
> > Anyone know of any software that can do this? And any large
> > international companies that may have consultants that are able to be
> > hired to do this?
> >
> > I am not in the US, so if you recommend a specific company please make
> > it a large international company, other than Cisco!
> >
> > Also any info you have on this being done in other companies would be
> > appreciated. Such as how long it would take etc. Assume 90,000
> > cards/chassis and a 20 separate networks.
> >
> > Thanks for your help....its quite a task thats needed!

>
> It's not particularly difficult to do, just have a programmer write some

Tcl
> scripts. I've done this as a subcontractor at IBM, the tools I developed
> can easily extract data from around 5,000 devices per hour. The difficult
> task, which takes most time, is getting working passwords to the devices.
>
> /Mats
>
> --
> Mats Bredell
> Uppsala, Sweden


sounds like a good use for snmp....

SysAdm



Dmitro 02-08-2005 06:50 PM

Re: Audit of large Cisco Network
 
> It's not particularly difficult to do, just have a programmer write some Tcl
> scripts. I've done this as a subcontractor at IBM, the tools I developed
> can easily extract data from around 5,000 devices per hour. The difficult
> task, which takes most time, is getting working passwords to the devices.
>
> /Mats

Hello Mats

it is interesing, but could you be so pleased tell me some useful
command... for example which command can i get - serial number of
2MFT-E1 card or Age (?) of devices? I know only sh ver :-( please tell
me more useful command for auditing hardware.

Thank you,
dmitry

Dmitro 02-08-2005 07:08 PM

Re: Audit of large Cisco Network
 
Dmitro wrote:
>> It's not particularly difficult to do, just have a programmer write
>> some Tcl
>> scripts. I've done this as a subcontractor at IBM, the tools I developed
>> can easily extract data from around 5,000 devices per hour. The difficult
>> task, which takes most time, is getting working passwords to the devices.
>>
>> /Mats

>
> Hello Mats
>
> it is interesing, but could you be so pleased tell me some useful
> command... for example which command can i get - serial number of
> 2MFT-E1 card or Age (?) of devices? I know only sh ver :-( please tell
> me more useful command for auditing hardware.
>
> Thank you,
> dmitry


oops.
sh diag + to my luggage.
dmitry

Hansang Bae 02-09-2005 04:02 AM

Re: Audit of large Cisco Network
 
Mats Bredell wrote:
> It's not particularly difficult to do, just have a programmer write
> some Tcl scripts. I've done this as a subcontractor at IBM, the tools
> I developed can easily extract data from around 5,000 devices per
> hour. The difficult task, which takes most time, is getting working
> passwords to the devices.


It's not as easy as it sounds. Before you can get *to* the
information, you need a seed file with all the IPs. That in an of
itself can be a chore. Then you have a problem of different devices
reporting things differently. Then you have problem of different
devices not being able to provide the info one is after (serial number
comes to mind).

--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************

Richard 02-09-2005 05:01 AM

Re: Audit of large Cisco Network
 

<headache starting to appear.....>

Thanks!



On Wed, 09 Feb 2005 04:02:45 GMT, "Hansang Bae" <uonr@alp.ee.pbz>
wrote:

>Mats Bredell wrote:
>> It's not particularly difficult to do, just have a programmer write
>> some Tcl scripts. I've done this as a subcontractor at IBM, the tools
>> I developed can easily extract data from around 5,000 devices per
>> hour. The difficult task, which takes most time, is getting working
>> passwords to the devices.

>
>It's not as easy as it sounds. Before you can get *to* the
>information, you need a seed file with all the IPs. That in an of
>itself can be a chore. Then you have a problem of different devices
>reporting things differently. Then you have problem of different
>devices not being able to provide the info one is after (serial number
>comes to mind).



Mats Bredell 02-09-2005 11:37 PM

Re: Audit of large Cisco Network
 
Hansang Bae wrote:

> Mats Bredell wrote:
>> It's not particularly difficult to do, just have a programmer write
>> some Tcl scripts. I've done this as a subcontractor at IBM, the tools
>> I developed can easily extract data from around 5,000 devices per
>> hour. The difficult task, which takes most time, is getting working
>> passwords to the devices.

>
> It's not as easy as it sounds. Before you can get *to* the
> information, you need a seed file with all the IPs. That in an of
> itself can be a chore. Then you have a problem of different devices
> reporting things differently. Then you have problem of different
> devices not being able to provide the info one is after (serial number
> comes to mind).


Actually, it's not that difficult. The tool I made was able to handle the
following devices:

* Cisco IOS, CatOS, IOS/700, Kalpana, PIX, WebNS and Vxworks
* 3Com Superstack, Linkbuilder and Linkswitch
* Checkpoint Firewall-1 and SecurePlatform Linux
* IBM AIX and MRS
* Linux Redhat
* Network Systems CDA
* Nokia AlchemyOS, AP and IPSO
* Nortel Baystack, BCC, Centillion, MCP and Passport
* Olicom switches
* Sun Solaris
* Symantec Enterprise Firewall
* Symbol AP

The tool extracts metadata and configuration, and performs an audit of the
configuration by comparing it to the security policy. The data is collected
by using telnet, ssh, http, SNMP or serial console. It handles both cli
based and VT100 based devices.

/Mats

--
Mats Bredell
Uppsala, Sweden

Mats Bredell 02-09-2005 11:40 PM

Re: Audit of large Cisco Network
 
SysAdm wrote:

>
> "Mats Bredell" <mats@bredell.net> wrote in message
> news:FE5Od.129886$dP1.464767@newsc.telia.net...
>> me@home.com wrote:
>>
>> > Hi All,
>> >
>> > Apologies if this is the wrong place to post this. Please let me know
>> > which newsgroup would be more appropriate if this isnt the one.
>> >
>> > We have a number of large Cisco networks. Not all are interconnected.
>> > Mostly they are a dozen or so big networks.
>> >
>> > Approximately 40,000-90,000 devices depending on who you ask. (By
>> > device I mean cards or chassis).
>> >
>> > We wish to run an audit, to identify more accurately what is out
>> > there.
>> >
>> > From the audit we wish to gather info such as:
>> >
>> > - Number of devices
>> > - Type of devices
>> > - Serial Number of devices
>> > - Age (?) of devices (eg manufacturing date or similar)
>> > - Software version on devices
>> >
>> > By devices I mean chassis and (if applicable) cards as well.
>> >
>> > and so on.
>> >
>> > The networks are in general behind a good firewall, so sweeping the
>> > full IP range should be OK in general.
>> >
>> > The aim is to as accurately as possible sweep each of our networks to
>> > determine what we have in them. From this we will more accurately know
>> > what we have that needs supporting.
>> >
>> > Anyone know of any software that can do this? And any large
>> > international companies that may have consultants that are able to be
>> > hired to do this?
>> >
>> > I am not in the US, so if you recommend a specific company please make
>> > it a large international company, other than Cisco!
>> >
>> > Also any info you have on this being done in other companies would be
>> > appreciated. Such as how long it would take etc. Assume 90,000
>> > cards/chassis and a 20 separate networks.
>> >
>> > Thanks for your help....its quite a task thats needed!

>>
>> It's not particularly difficult to do, just have a programmer write some

> Tcl
>> scripts. I've done this as a subcontractor at IBM, the tools I developed
>> can easily extract data from around 5,000 devices per hour. The difficult
>> task, which takes most time, is getting working passwords to the devices.
>>
>> /Mats
>>
>> --
>> Mats Bredell
>> Uppsala, Sweden

>
> sounds like a good use for snmp....


Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
enabled on the devices I was working on (either that or they didn't know
the community strings).

/Mats

--
Mats Bredell
Uppsala, Sweden

Ben 02-10-2005 03:09 AM

Re: Audit of large Cisco Network
 
Mats Bredell wrote:
> SysAdm wrote:
>
>
>>"Mats Bredell" <mats@bredell.net> wrote in message
>>news:FE5Od.129886$dP1.464767@newsc.telia.net.. .
>>
>>>me@home.com wrote:
>>>
>>>
>>>>Hi All,
>>>>
>>>>Apologies if this is the wrong place to post this. Please let me know
>>>>which newsgroup would be more appropriate if this isnt the one.
>>>>
>>>>We have a number of large Cisco networks. Not all are interconnected.
>>>>Mostly they are a dozen or so big networks.
>>>>
>>>>Approximately 40,000-90,000 devices depending on who you ask. (By
>>>>device I mean cards or chassis).
>>>>
>>>>We wish to run an audit, to identify more accurately what is out
>>>>there.
>>>>
>>>>From the audit we wish to gather info such as:
>>>>
>>>>- Number of devices
>>>>- Type of devices
>>>>- Serial Number of devices
>>>>- Age (?) of devices (eg manufacturing date or similar)
>>>>- Software version on devices
>>>>
>>>>By devices I mean chassis and (if applicable) cards as well.
>>>>
>>>>and so on.
>>>>
>>>>The networks are in general behind a good firewall, so sweeping the
>>>>full IP range should be OK in general.
>>>>
>>>>The aim is to as accurately as possible sweep each of our networks to
>>>>determine what we have in them. From this we will more accurately know
>>>>what we have that needs supporting.
>>>>
>>>>Anyone know of any software that can do this? And any large
>>>>international companies that may have consultants that are able to be
>>>>hired to do this?
>>>>
>>>>I am not in the US, so if you recommend a specific company please make
>>>>it a large international company, other than Cisco!
>>>>
>>>>Also any info you have on this being done in other companies would be
>>>>appreciated. Such as how long it would take etc. Assume 90,000
>>>>cards/chassis and a 20 separate networks.
>>>>
>>>>Thanks for your help....its quite a task thats needed!
>>>
>>>It's not particularly difficult to do, just have a programmer write some

>>
>>Tcl
>>
>>>scripts. I've done this as a subcontractor at IBM, the tools I developed
>>>can easily extract data from around 5,000 devices per hour. The difficult
>>>task, which takes most time, is getting working passwords to the devices.
>>>
>>>/Mats
>>>
>>>--
>>>Mats Bredell
>>>Uppsala, Sweden

>>
>>sounds like a good use for snmp....

>
>
> Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
> enabled on the devices I was working on (either that or they didn't know
> the community strings).
>
> /Mats
>

Also the Cisco MIB DOES vary between different chassis making it
unreliable for some types of data.

I have to totally agree - a set of TCL or Perl scripts is a great way to
go. Of course it's much simpler if you start with a list of all the devices.


All times are GMT. The time now is 08:59 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.