Tuesday, April 11, 2017

HOW TO DO NETWORK AUDIT!

Many times engineers need to do network audit for their customers or their potential customers with whom they are planning to sign contract with in future. There is no standard rule or technique on how the network audit should be done but people have worked out few steps which will help you during the whole process.


CREDIT: /u/VA_Network_Nerd
  •     Go one switch at a time, starting from the Internet router and map out the Layer-1 physical topology first.

  •     Ignore VLANs and Subnets at first. Just nail down what is plugged in where. A spreadsheet of interface descriptions and a pencil & paper doodle would be the go-to tools.

  •     For the Layer-3 logical topology, document where all the subnets and HSRP members are, as well as STP priorities.

  •     Go switch by switch identifying what ports are in what VLAN. The initial 80% of the drawing is pretty easy. The final 20% can be pretty painful.

  •     Try to understand the topology by looking at MAC Address counts per port. An end-user port shouldn't have more than 3 to 5 MAC addresses on it. If you have more than that on a port, there is probably another switch on the far end - go find it.

  •     Once all of that is done, re-visit each closet and make sure each device had a clear name tag front & rear -- YES label them on the back too. Help you avoid yanking the wrong power cable some day. Then update the switch port interface descriptions in accordance with some kind of a naming convention standard.

  •     Correct the STP priorities to reduce the chance of any surprises later on. In my opinion, the correct STP topology goes like this:    
  1.     RPVST up to 500 or so VLANs. Any more than that, MST is the better tool.
  2.     The root-bridge is priority 8192. The alternate root is 12288.
  3.     Every single switch DIRECTLY attached to either of those is 16384.
  4.     Every single switch DIRECTLY attached to those is 20480.
  5.     Keep adding 4096 to each layer of the topology beyond that.

  •      Apply DHCP Snooping and Port-Security at the user edge.

  •      Correct SNMP, Syslog and NTP to comply with standards.

  •      Convert your doodles and notes to pretty diagrams in Visio and Spreadsheets and call it a day.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)