Re: Network and routing mess

RodSmithBCANS · ‎08-21-2023

Hi Everyone

I hope you can help me with this issue. I have inherited a 50 device network that has multiple ip address ranges example 192.168 and 10.20. I would like to simplify this network down to a single 192.168 range. I have multiple Switches (3750X) and a router (4331). I have worked on Cisco gear before using SSH under instruction but no real knowledge. I have two questions, What is the easiest way to find the IP addresses of the gear and is there any software or GUI I can use to reset or configure the devices to a single ip range. At the moment I have multiple end user devices that have partial or no network connectivity.

Cheers Rod

pieterh · ‎08-21-2023

first a warning, there may have been valid reasons in the past to use chose for different address ranges
the "partial or no network connectivity" may be on purpose because network may be segmented and traffic between segments is limited (filtered by access list or firewall) it would be unwise to open up all traffic without knowing the reason behind this

one method is to use a network discovery tool,
you start with a "seed switch" and if they are all Cisco brand and CDP is enabled, then CDP (cisco discovery protocol) can be used to detect neigboring switches add them to the devicelist and draw a layer-2 map
many tools can also discover IP-networking and contruct the layer-3 map (if no trafic is filtered by firewalls.)

there are many tools available a internet search using "network discovery tool" will give you a broad choice
of commercial /free / free trial software

balaji.bandi · ‎08-21-2023

First you need to start Draw a simple network diagram, how they are connected, what VLAN configured, is the network Subnets are different in each VLAN what are those ?

as mentioned other post, there may be reason for the different VLAN and different Subnet, that might have organically grown and not reviewed last several years, as the networking change may be not defined based on the requirement.

You can scan the network which can give you information of the device or cdp (50 devices not a big network) - so you can plan and start working auditing the devices and see what are those device wherer they located.

Once you have information, plan what you looking to do, also mentioned some device having issue, see if you can fix them using new plan, so you can migrate old devices to new plan you thinking of.

Also think about DHCP where the device Getting IP address, that where you can focus on IP streamline (if you have one)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Joseph W. Doherty · ‎08-22-2023

Yours is an interesting posting. I read it, much like this analogy.

I have a car that's not working well. Some people have difficulty getting in or out of the car, or even being unable to get in or out of the car, at all.

We had someone who used to take care of this car, but now I must. I have done some work on the car, under instruction, but have no real knowledge.

I've noticed that all the car's part don't match in color. Some are shades of blue, while some are shades of red. Is there some easy way to identify all the car's parts, and is there a way I can set all the car's parts, to be shades of blue (my preference over any shade of red)?

Now, assuming your someone with some knowledge of cars, what advice would you provide?

With hopefully, such car knowledge, do you think providing car part identifications and providing a way to change car parts colors, will help the passenger usage issues?

BTW, car part's colors might actually be a problem, not the color, itself, but by how and where it was applied. But, lots of other, possibly more likely, causes of your passenger usage problems too.

The real problem, I believe you face, to mitigate your network problems is your "no real knowledge".

Either you really need to increase that, so you can do your own maintenance and/or repair, to some level, and/or you need to access someone with such knowledge to do so, on your behalf, a network "mechanic".

Don't misunderstand, depth of knowledge is greatly variable. Some who drive a car, might not know how to even add gas. Or, besides adding gas, tire air, oil, windshield fluid, do you know how to change oil, change plugs? If you know how to change oil and plugs, do you know how to repaint car body parts, overhaul an engine, overhaul an automatic transmission, adjust headlights, align wheels, etc.? (Consider, for networking knowledge, Cisco has entry level, associate level, professional level, expert level certifications, many in particular branches of networking, plus other specialist certifications too.)

This forging is a very long setup for, for someone with "no real knowledge", I would first suggest obtaining such knowledge and/or obtaining additional help, over trying to help you identify network devices with the specific goal being to have all your networking addresses using 192.168.x.x. (BTW, it's very possible your network would be better using another addressing scheme, but I, and you, don't really know that [yet]. We [you and I] don't know whether that, alone, would mitigate the connectivity issues you note.)

So, my recommendation to you is, if you have immediate network issues, try to find someone, with more networking knowledge, to solve them. If you can concurrently learn more about networking, so such assistance is needed less, that may, or may not, be worthwhile for you.

If possible, though, it's good to have enough basic knowledge so you know when someone is trying to BS you.

RodSmithBCANS · ‎08-22-2023

Sorry in advance for the length of my reply but I believe context is important to balance the questions and replies against.

Hi All

First of all thank you very much for your prompt replies. I have had varying success with support sites over the years and this has definitely been one of my better experiences. I have been in the IT industry for 40+ years, starting when I bought my first Commodore 64. (yes I am aware that makes me old lol ) Over this time I have provided IT support to the mum and dad at home, to small/med business, right up to a 60 bil a year multinational. This has given a me a unique perspective on IT and how people want their IT to work for them. Always from a perspective of, “here is a problem can you please fix it”. (This has led to gaps in my knowledge) I am familiar with most networking concepts and can fault find issues on “simpler” networks regardless of size. The skill gap I have for this client is my lack knowledge of SSH and Cisco products. The client’s issue is also a little unique. Site is remote 2000+ km from major city (over 100km from me). Patchy internet access Mobile broadband only. Site grew over time, network cobbled together culminating in a hp server a few hp switches and about 25 endpoints which include a few plc’s that require remote access (endpoints will prob grow up to 50). Then change of management, very professional and knowledgeable IT Manager steps in installs 2 servers 2 routers and 6 switches. Designed to run everything remotely. All hardware installed however, transfer from old server to new only partially completed, IT Manager leaves company. (doubt any further access to them possible and no-one locally with that kind of knowledge) Client decides “local” support needs outweigh technical proficiency need. Client employs me. The client and I cannot see a business need to keep the operations and admin networks separate, hence my simplify the network request. I have made a network map of the site and know physically how everything is connected. I love Joseph’s car analogy and could not agree more with his statement,

“The real problem, I believe you face, to mitigate your network problems is your "no real knowledge".

I fully intend get educated in Cisco networking as repair and maintenance will be part of the ongoing expectation by the client. (can you suggest a starting point) However my immediate concern is I don’t know how to “open the bonnet” of the Cisco devices so I can't see what’s inside. I am used to equipment like HP Procurves where you type in the IP address login into its gui and go from there. Does Cisco have an equivalent. Right now I am in discovery and connectivity phase but very shortly I will need to start doing things like checking router logs to help determine why our internet keeps dropping in and out.

I believe my next step is discovering the cisco device ip addresses and seeing how they are configured. Pieterh mentioned CDP and network discovery tools, do you have any suggestions which ones ? Also happy to share network map if you think it would be helpful

Once again sorry about the length of this but if you have got this far thanks for your patience. Look forward to hearing from you.

Cheers Rod

Joseph W. Doherty · ‎08-22-2023

Your long reply, I thought, very helpful.

BTW, back in the days of the C64, I had a friend who had one. Laugh, of course, I had an Atari 800, but if you don't hold that against me, I won't hold the C64 against you.

If you have 40+ years of IT, even if working "with" IT folk, you likely have a lot more general knowledge, then you might realize.

Regarding Cisco GUI capabilities, for "Enterprise" equipment, I think they have some support for it, by generally "Enterprise" network folk work with the CLI. (Cisco's SMB routers and switches, though, most folk might use their GUI interfaces.)

CLI access on Enterprise network devices, in the past was normally done via Telnet, but in the last decade or so, many have migrated to SSH. Basically, the same CLI interaction, just the interactive stream is encrypted. Of course, there are some other differences, but more with setting the Cisco device up to use SSH, and using a SSH client. (In some ways, conceptionally much like most Internet web sites no longer use HTTP, but now use HTTPS, but as a user, no real difference to the web page presentation.)

There are also various ways to determine logon on authentication on Cisco Enterprise network devices, from simple passwords configured on the device, to logons that require a RSA generate code, that changes "randomly" every few seconds, or users/passwords verified to external servers. (This is AAA in the Cisco parlance, and it has may various features.)

Often much access security is directed at across-the-wire-access, i.e. local "console" access often isn't set up to be as secure (assuming the network device is physically secured), but such "console" access can pretty much support what the across-the-wire-access can do too.

Traditionally, if there's a change of "admins" and you no longer have the credentials to access the device, Cisco Enterprise devices have a way, when you have physical access to the device, to "break" into the device. Newer devices, though, support a feature to disable that too. So, in theory, depending how security has been configured, if you don't have the admin credentials, you lose all access to the device. Possibly, if you return the device to Cisco, they might be able to pull the flash storage chips, and provide you a totally "clean slate", but don't hold me to that.

The reason I mention all the forgoing, depending on how an Enterprise device was configured, and depending on what information you have, you might not be able to configure it at all! This assuming you know IPs, and there's even more security wrinkles with those. For example, the device might only allow access to it, across-the-wire, using a specific device IP and/or interface and/or from a specific remote device IP. (In fact, the later might be called a jump box. You access one device, as another will only accept connections from that device.)

More than likely, your environment isn't doing any of the forgoing, but if it is, do you recognize what you're dealing with or what to do next?

Again, the forgoing is just issues with device access, let alone trying to figure out what was done, whether whatever that was done, needs "correction", and if correction is needed, what should it be.

With the IT background knowledge you probably do have, you likely have enough knowledge to start to better appreciate, the issues you might encounter.

I agree a great next step is mapping out your topology, what's were, and how is it connected. Knowing the IP to access a device can be useful (which might not be on a physical interface - often we use logical interfaces to host management IPs - something you would not "see" via CDP), and accessing configs; then understanding configs.

I believe, given enough time, you might suss this out, but it might take lots and lots of time. These forums, can help, in many ways, but if you have production issues, that you want to resolve, in days, or at most weeks, vs. months or possibly years, I still suggest you might need someone on hand to help you ramp up.

Once you've better documented the network (basically as it should have been, so you would already have this information), you'll likely be able to pare back such assistance, and better plan what you want to do next.

Back to my car analogy, it sounds like you don't have the factory maintenance manual, possibly not even the owner's manual, and possibly not even the right set, or full set, of keys.

Hopefully, the forgoing isn't too depressing, but then, personally, I'm a pessimist. But, the good side of that, I'm always being pleasantly surprised, rather than always being disappointed. ; )