Locating Network Devices

Author
Terry Slattery
Principal Architect

Sometimes you really need to know where a given device is located in the network. I quickly can think of 3 cases:

  • Case 1: Syslog suddenly starts reporting failed login attempts on the routers and switches. Usernames like ‘root’ and ‘admin’ are appearing as failed attempts, with all login attempts originating from the same machine within the network. A virus has infected a machine and it is trying to break into other devices in the network. You have the IP address of the machine that’s attacking the network. Where is is located? What switch port do you turn off so that you can protect the network?
  • Case 2: A customer is reporting that an application is slow. You have other data that tells you the IP address of the customer’s workstation and that of the server hosting the application. Pinging to each shows that one or the other is occasionally dropping packets. You decide to check the error counters on the interfaces, suspecting a possible duplex mismatch. What switch and switch port is used for the server and the customer?
  • Case 3: A number of new IP phones, computers, and video conferencing systems are being deployed in a new building. The IT organization is tasked with tracking these assets as they are added to the network and as they are moved around. Are any of the assets disappearing? When are they being disconnected? Should security cameras be checked for theft, or are the devices being moved?

In each of these cases, the network management tools should have the capability of quickly reporting the switch and switch port of the offending device. By searching the switch forwarding tables and also understanding the spanning tree topology, the NMS can construct the Layer 2 path from the router servicing a subnet to the server or customer workstation in that subnet. Reports on locations and changes in locations should be easily accessible. The asset information needs to be exportable to other asset data bases, possibly to correlate with purchasing or leasing information. The MAC address of the assets may be the only way that they can easily be tracked as the devices are moved across the network. This means that the NMS needs to track MAC addresses and use it to help identify each device.

If you’ve not heard of it, you may want to track IF-MAP (Wikipedia, Infoblox’s Overview Whitepaper), which is a protocol for real-time sharing of network meta-data, such as location information.

Because the assets are connected to the network, using the network to track the assets increases the utility of the network and of the network management applications.

-Terry

_____________________________________________________________________________________________

Re-posted with Permission 

NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under http://www.infoblox.com/en/communities/blogs.html

infoblox-logo

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.