Audit of large Cisco Network

Discussion in 'Cisco' started by me@home.com, Feb 8, 2005.

  1. Guest

    Hi All,

    Apologies if this is the wrong place to post this. Please let me know
    which newsgroup would be more appropriate if this isnt the one.

    We have a number of large Cisco networks. Not all are interconnected.
    Mostly they are a dozen or so big networks.

    Approximately 40,000-90,000 devices depending on who you ask. (By
    device I mean cards or chassis).

    We wish to run an audit, to identify more accurately what is out
    there.

    From the audit we wish to gather info such as:

    - Number of devices
    - Type of devices
    - Serial Number of devices
    - Age (?) of devices (eg manufacturing date or similar)
    - Software version on devices

    By devices I mean chassis and (if applicable) cards as well.

    and so on.

    The networks are in general behind a good firewall, so sweeping the
    full IP range should be OK in general.

    The aim is to as accurately as possible sweep each of our networks to
    determine what we have in them. From this we will more accurately know
    what we have that needs supporting.

    Anyone know of any software that can do this? And any large
    international companies that may have consultants that are able to be
    hired to do this?

    I am not in the US, so if you recommend a specific company please make
    it a large international company, other than Cisco!

    Also any info you have on this being done in other companies would be
    appreciated. Such as how long it would take etc. Assume 90,000
    cards/chassis and a 20 separate networks.

    Thanks for your help....its quite a task thats needed!
     
    , Feb 8, 2005
    #1
    1. Advertising

  2. Mats Bredell Guest

    wrote:

    > Hi All,
    >
    > Apologies if this is the wrong place to post this. Please let me know
    > which newsgroup would be more appropriate if this isnt the one.
    >
    > We have a number of large Cisco networks. Not all are interconnected.
    > Mostly they are a dozen or so big networks.
    >
    > Approximately 40,000-90,000 devices depending on who you ask. (By
    > device I mean cards or chassis).
    >
    > We wish to run an audit, to identify more accurately what is out
    > there.
    >
    > From the audit we wish to gather info such as:
    >
    > - Number of devices
    > - Type of devices
    > - Serial Number of devices
    > - Age (?) of devices (eg manufacturing date or similar)
    > - Software version on devices
    >
    > By devices I mean chassis and (if applicable) cards as well.
    >
    > and so on.
    >
    > The networks are in general behind a good firewall, so sweeping the
    > full IP range should be OK in general.
    >
    > The aim is to as accurately as possible sweep each of our networks to
    > determine what we have in them. From this we will more accurately know
    > what we have that needs supporting.
    >
    > Anyone know of any software that can do this? And any large
    > international companies that may have consultants that are able to be
    > hired to do this?
    >
    > I am not in the US, so if you recommend a specific company please make
    > it a large international company, other than Cisco!
    >
    > Also any info you have on this being done in other companies would be
    > appreciated. Such as how long it would take etc. Assume 90,000
    > cards/chassis and a 20 separate networks.
    >
    > Thanks for your help....its quite a task thats needed!


    It's not particularly difficult to do, just have a programmer write some Tcl
    scripts. I've done this as a subcontractor at IBM, the tools I developed
    can easily extract data from around 5,000 devices per hour. The difficult
    task, which takes most time, is getting working passwords to the devices.

    /Mats

    --
    Mats Bredell
    Uppsala, Sweden
     
    Mats Bredell, Feb 8, 2005
    #2
    1. Advertising

  3. SysAdm Guest

    "Mats Bredell" <> wrote in message
    news:FE5Od.129886$...
    > wrote:
    >
    > > Hi All,
    > >
    > > Apologies if this is the wrong place to post this. Please let me know
    > > which newsgroup would be more appropriate if this isnt the one.
    > >
    > > We have a number of large Cisco networks. Not all are interconnected.
    > > Mostly they are a dozen or so big networks.
    > >
    > > Approximately 40,000-90,000 devices depending on who you ask. (By
    > > device I mean cards or chassis).
    > >
    > > We wish to run an audit, to identify more accurately what is out
    > > there.
    > >
    > > From the audit we wish to gather info such as:
    > >
    > > - Number of devices
    > > - Type of devices
    > > - Serial Number of devices
    > > - Age (?) of devices (eg manufacturing date or similar)
    > > - Software version on devices
    > >
    > > By devices I mean chassis and (if applicable) cards as well.
    > >
    > > and so on.
    > >
    > > The networks are in general behind a good firewall, so sweeping the
    > > full IP range should be OK in general.
    > >
    > > The aim is to as accurately as possible sweep each of our networks to
    > > determine what we have in them. From this we will more accurately know
    > > what we have that needs supporting.
    > >
    > > Anyone know of any software that can do this? And any large
    > > international companies that may have consultants that are able to be
    > > hired to do this?
    > >
    > > I am not in the US, so if you recommend a specific company please make
    > > it a large international company, other than Cisco!
    > >
    > > Also any info you have on this being done in other companies would be
    > > appreciated. Such as how long it would take etc. Assume 90,000
    > > cards/chassis and a 20 separate networks.
    > >
    > > Thanks for your help....its quite a task thats needed!

    >
    > It's not particularly difficult to do, just have a programmer write some

    Tcl
    > scripts. I've done this as a subcontractor at IBM, the tools I developed
    > can easily extract data from around 5,000 devices per hour. The difficult
    > task, which takes most time, is getting working passwords to the devices.
    >
    > /Mats
    >
    > --
    > Mats Bredell
    > Uppsala, Sweden


    sounds like a good use for snmp....

    SysAdm
     
    SysAdm, Feb 8, 2005
    #3
  4. Dmitro Guest

    > It's not particularly difficult to do, just have a programmer write some Tcl
    > scripts. I've done this as a subcontractor at IBM, the tools I developed
    > can easily extract data from around 5,000 devices per hour. The difficult
    > task, which takes most time, is getting working passwords to the devices.
    >
    > /Mats

    Hello Mats

    it is interesing, but could you be so pleased tell me some useful
    command... for example which command can i get - serial number of
    2MFT-E1 card or Age (?) of devices? I know only sh ver :-( please tell
    me more useful command for auditing hardware.

    Thank you,
    dmitry
     
    Dmitro, Feb 8, 2005
    #4
  5. Dmitro Guest

    Dmitro wrote:
    >> It's not particularly difficult to do, just have a programmer write
    >> some Tcl
    >> scripts. I've done this as a subcontractor at IBM, the tools I developed
    >> can easily extract data from around 5,000 devices per hour. The difficult
    >> task, which takes most time, is getting working passwords to the devices.
    >>
    >> /Mats

    >
    > Hello Mats
    >
    > it is interesing, but could you be so pleased tell me some useful
    > command... for example which command can i get - serial number of
    > 2MFT-E1 card or Age (?) of devices? I know only sh ver :-( please tell
    > me more useful command for auditing hardware.
    >
    > Thank you,
    > dmitry


    oops.
    sh diag + to my luggage.
    dmitry
     
    Dmitro, Feb 8, 2005
    #5
  6. Hansang Bae Guest

    Mats Bredell wrote:
    > It's not particularly difficult to do, just have a programmer write
    > some Tcl scripts. I've done this as a subcontractor at IBM, the tools
    > I developed can easily extract data from around 5,000 devices per
    > hour. The difficult task, which takes most time, is getting working
    > passwords to the devices.


    It's not as easy as it sounds. Before you can get *to* the
    information, you need a seed file with all the IPs. That in an of
    itself can be a chore. Then you have a problem of different devices
    reporting things differently. Then you have problem of different
    devices not being able to provide the info one is after (serial number
    comes to mind).

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Feb 9, 2005
    #6
  7. Richard Guest

    <headache starting to appear.....>

    Thanks!



    On Wed, 09 Feb 2005 04:02:45 GMT, "Hansang Bae" <>
    wrote:

    >Mats Bredell wrote:
    >> It's not particularly difficult to do, just have a programmer write
    >> some Tcl scripts. I've done this as a subcontractor at IBM, the tools
    >> I developed can easily extract data from around 5,000 devices per
    >> hour. The difficult task, which takes most time, is getting working
    >> passwords to the devices.

    >
    >It's not as easy as it sounds. Before you can get *to* the
    >information, you need a seed file with all the IPs. That in an of
    >itself can be a chore. Then you have a problem of different devices
    >reporting things differently. Then you have problem of different
    >devices not being able to provide the info one is after (serial number
    >comes to mind).
     
    Richard, Feb 9, 2005
    #7
  8. Mats Bredell Guest

    Hansang Bae wrote:

    > Mats Bredell wrote:
    >> It's not particularly difficult to do, just have a programmer write
    >> some Tcl scripts. I've done this as a subcontractor at IBM, the tools
    >> I developed can easily extract data from around 5,000 devices per
    >> hour. The difficult task, which takes most time, is getting working
    >> passwords to the devices.

    >
    > It's not as easy as it sounds. Before you can get *to* the
    > information, you need a seed file with all the IPs. That in an of
    > itself can be a chore. Then you have a problem of different devices
    > reporting things differently. Then you have problem of different
    > devices not being able to provide the info one is after (serial number
    > comes to mind).


    Actually, it's not that difficult. The tool I made was able to handle the
    following devices:

    * Cisco IOS, CatOS, IOS/700, Kalpana, PIX, WebNS and Vxworks
    * 3Com Superstack, Linkbuilder and Linkswitch
    * Checkpoint Firewall-1 and SecurePlatform Linux
    * IBM AIX and MRS
    * Linux Redhat
    * Network Systems CDA
    * Nokia AlchemyOS, AP and IPSO
    * Nortel Baystack, BCC, Centillion, MCP and Passport
    * Olicom switches
    * Sun Solaris
    * Symantec Enterprise Firewall
    * Symbol AP

    The tool extracts metadata and configuration, and performs an audit of the
    configuration by comparing it to the security policy. The data is collected
    by using telnet, ssh, http, SNMP or serial console. It handles both cli
    based and VT100 based devices.

    /Mats

    --
    Mats Bredell
    Uppsala, Sweden
     
    Mats Bredell, Feb 9, 2005
    #8
  9. Mats Bredell Guest

    SysAdm wrote:

    >
    > "Mats Bredell" <> wrote in message
    > news:FE5Od.129886$...
    >> wrote:
    >>
    >> > Hi All,
    >> >
    >> > Apologies if this is the wrong place to post this. Please let me know
    >> > which newsgroup would be more appropriate if this isnt the one.
    >> >
    >> > We have a number of large Cisco networks. Not all are interconnected.
    >> > Mostly they are a dozen or so big networks.
    >> >
    >> > Approximately 40,000-90,000 devices depending on who you ask. (By
    >> > device I mean cards or chassis).
    >> >
    >> > We wish to run an audit, to identify more accurately what is out
    >> > there.
    >> >
    >> > From the audit we wish to gather info such as:
    >> >
    >> > - Number of devices
    >> > - Type of devices
    >> > - Serial Number of devices
    >> > - Age (?) of devices (eg manufacturing date or similar)
    >> > - Software version on devices
    >> >
    >> > By devices I mean chassis and (if applicable) cards as well.
    >> >
    >> > and so on.
    >> >
    >> > The networks are in general behind a good firewall, so sweeping the
    >> > full IP range should be OK in general.
    >> >
    >> > The aim is to as accurately as possible sweep each of our networks to
    >> > determine what we have in them. From this we will more accurately know
    >> > what we have that needs supporting.
    >> >
    >> > Anyone know of any software that can do this? And any large
    >> > international companies that may have consultants that are able to be
    >> > hired to do this?
    >> >
    >> > I am not in the US, so if you recommend a specific company please make
    >> > it a large international company, other than Cisco!
    >> >
    >> > Also any info you have on this being done in other companies would be
    >> > appreciated. Such as how long it would take etc. Assume 90,000
    >> > cards/chassis and a 20 separate networks.
    >> >
    >> > Thanks for your help....its quite a task thats needed!

    >>
    >> It's not particularly difficult to do, just have a programmer write some

    > Tcl
    >> scripts. I've done this as a subcontractor at IBM, the tools I developed
    >> can easily extract data from around 5,000 devices per hour. The difficult
    >> task, which takes most time, is getting working passwords to the devices.
    >>
    >> /Mats
    >>
    >> --
    >> Mats Bredell
    >> Uppsala, Sweden

    >
    > sounds like a good use for snmp....


    Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
    enabled on the devices I was working on (either that or they didn't know
    the community strings).

    /Mats

    --
    Mats Bredell
    Uppsala, Sweden
     
    Mats Bredell, Feb 9, 2005
    #9
  10. Ben Guest

    Mats Bredell wrote:
    > SysAdm wrote:
    >
    >
    >>"Mats Bredell" <> wrote in message
    >>news:FE5Od.129886$...
    >>
    >>> wrote:
    >>>
    >>>
    >>>>Hi All,
    >>>>
    >>>>Apologies if this is the wrong place to post this. Please let me know
    >>>>which newsgroup would be more appropriate if this isnt the one.
    >>>>
    >>>>We have a number of large Cisco networks. Not all are interconnected.
    >>>>Mostly they are a dozen or so big networks.
    >>>>
    >>>>Approximately 40,000-90,000 devices depending on who you ask. (By
    >>>>device I mean cards or chassis).
    >>>>
    >>>>We wish to run an audit, to identify more accurately what is out
    >>>>there.
    >>>>
    >>>>From the audit we wish to gather info such as:
    >>>>
    >>>>- Number of devices
    >>>>- Type of devices
    >>>>- Serial Number of devices
    >>>>- Age (?) of devices (eg manufacturing date or similar)
    >>>>- Software version on devices
    >>>>
    >>>>By devices I mean chassis and (if applicable) cards as well.
    >>>>
    >>>>and so on.
    >>>>
    >>>>The networks are in general behind a good firewall, so sweeping the
    >>>>full IP range should be OK in general.
    >>>>
    >>>>The aim is to as accurately as possible sweep each of our networks to
    >>>>determine what we have in them. From this we will more accurately know
    >>>>what we have that needs supporting.
    >>>>
    >>>>Anyone know of any software that can do this? And any large
    >>>>international companies that may have consultants that are able to be
    >>>>hired to do this?
    >>>>
    >>>>I am not in the US, so if you recommend a specific company please make
    >>>>it a large international company, other than Cisco!
    >>>>
    >>>>Also any info you have on this being done in other companies would be
    >>>>appreciated. Such as how long it would take etc. Assume 90,000
    >>>>cards/chassis and a 20 separate networks.
    >>>>
    >>>>Thanks for your help....its quite a task thats needed!
    >>>
    >>>It's not particularly difficult to do, just have a programmer write some

    >>
    >>Tcl
    >>
    >>>scripts. I've done this as a subcontractor at IBM, the tools I developed
    >>>can easily extract data from around 5,000 devices per hour. The difficult
    >>>task, which takes most time, is getting working passwords to the devices.
    >>>
    >>>/Mats
    >>>
    >>>--
    >>>Mats Bredell
    >>>Uppsala, Sweden

    >>
    >>sounds like a good use for snmp....

    >
    >
    > Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
    > enabled on the devices I was working on (either that or they didn't know
    > the community strings).
    >
    > /Mats
    >

    Also the Cisco MIB DOES vary between different chassis making it
    unreliable for some types of data.

    I have to totally agree - a set of TCL or Perl scripts is a great way to
    go. Of course it's much simpler if you start with a list of all the devices.
     
    Ben, Feb 10, 2005
    #10
  11. Ben Guest

    Mats Bredell wrote:
    > Hansang Bae wrote:
    >
    >
    >>Mats Bredell wrote:
    >>
    >>>It's not particularly difficult to do, just have a programmer write
    >>>some Tcl scripts. I've done this as a subcontractor at IBM, the tools
    >>>I developed can easily extract data from around 5,000 devices per
    >>>hour. The difficult task, which takes most time, is getting working
    >>>passwords to the devices.

    >>
    >>It's not as easy as it sounds. Before you can get *to* the
    >>information, you need a seed file with all the IPs. That in an of
    >>itself can be a chore. Then you have a problem of different devices
    >>reporting things differently. Then you have problem of different
    >>devices not being able to provide the info one is after (serial number
    >>comes to mind).

    >
    >
    > Actually, it's not that difficult. The tool I made was able to handle the
    > following devices:
    >
    > * Cisco IOS, CatOS, IOS/700, Kalpana, PIX, WebNS and Vxworks
    > * 3Com Superstack, Linkbuilder and Linkswitch
    > * Checkpoint Firewall-1 and SecurePlatform Linux
    > * IBM AIX and MRS
    > * Linux Redhat
    > * Network Systems CDA
    > * Nokia AlchemyOS, AP and IPSO
    > * Nortel Baystack, BCC, Centillion, MCP and Passport
    > * Olicom switches
    > * Sun Solaris
    > * Symantec Enterprise Firewall
    > * Symbol AP
    >
    > The tool extracts metadata and configuration, and performs an audit of the
    > configuration by comparing it to the security policy. The data is collected
    > by using telnet, ssh, http, SNMP or serial console. It handles both cli
    > based and VT100 based devices.
    >
    > /Mats
    >

    Which is why TCL is a better choice than perl - much easier to reverse
    engineer - which you will need to do at times even if you are the one
    who wrote it :)
     
    Ben, Feb 10, 2005
    #11
  12. Mats Bredell Guest

    Ben wrote:

    > Mats Bredell wrote:


    >> The tool extracts metadata and configuration, and performs an audit of
    >> the configuration by comparing it to the security policy. The data is
    >> collected by using telnet, ssh, http, SNMP or serial console. It handles
    >> both cli based and VT100 based devices.
    >>

    > Which is why TCL is a better choice than perl - much easier to reverse
    > engineer - which you will need to do at times even if you are the one
    > who wrote it :)


    This was the first time I used TCL, it was an interesting experience. TCL
    was a natural choice since everything started out using Expect. But I
    really like the way TCL is able to handle lists of data, that's nice when
    you're trying to parse a configuration file.

    /Mats

    --
    Mats Bredell
    Uppsala, Sweden
     
    Mats Bredell, Feb 10, 2005
    #12
  13. Mats Bredell Guest

    Ben wrote:

    > Mats Bredell wrote:
    >> Yes, SNMP is the best and easiest to handle. Unfortunately it was rarely
    >> enabled on the devices I was working on (either that or they didn't know
    >> the community strings).
    >>

    > Also the Cisco MIB DOES vary between different chassis making it
    > unreliable for some types of data.
    >
    > I have to totally agree - a set of TCL or Perl scripts is a great way to
    > go. Of course it's much simpler if you start with a list of all the
    > devices.


    The first version of the tool did a simple telnet to the device and was able
    to figure out what kind of device it was, but I removed that function when
    making a new version of the tool.

    There were also problems with bugs in a lot of network devices. Certain
    Nortel Baystacks had an IP stack that was so unstable that it crashed after
    about 5 connects. That's a huge problem when you're debugging the scripts
    and making lots of connections.

    /Mats

    --
    Mats Bredell
    Uppsala, Sweden
     
    Mats Bredell, Feb 10, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stéph06

    LAN network audit

    Stéph06, Jul 12, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,444
    Simon Marsden
    Jul 12, 2004
  2. Toto

    Cisco 720x network audit

    Toto, Oct 8, 2004, in forum: Cisco
    Replies:
    5
    Views:
    604
  3. al

    Network Audit tools

    al, May 2, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    517
  4. Replies:
    1
    Views:
    880
    tpheuk
    Jan 16, 2013
  5. Replies:
    0
    Views:
    1,228
Loading...

Share This Page