Any useful tips and commands for finding nearby switches & routers? (Cisco IOS)

[Theminecraftaddict555]

So we are doing a project in one of my college classes where we have to find specs and ip addressing info of devices in our active "new virtual" network we are connected to. The network contains some switches, routers, and dns servers. We have the option to use tera term/putty to telnet into our default gateway and gather info about our devices located in our "virtual network". So far I was able to find my default gateway router and have the specs for that. But I am trying to find any other nearby routers and switches inside the cisco IOS. Any tips or commands to help do that? 

[Skiiwee29]

I feel if you are in a educational environment, you already have the answers to what you want/need... 

[mortino]

There is a program specifically for this but it is expressly forbidden for any use other than personal. I'm guessing for legal reasons.

[Jay Deah]

cisco discovery protocol and Link layer discovery protocol are what you want to use

 

EDIT: removed commands so you cant cheat on your homework

[BSpendlove]

As above, cdp and lldp would be a good start. If you are running purely all cisco then don't bother with lldp.

 

You'll be able to find which device connects to what, local and remote interface that connects them together, management IP address, the cisco ios version for each device in your local cdp table. If you have the management IP then go ahead and try to connect via telnet or ssh, see if the username/password/enable is the same as the device you can access, that is definitely something I would try in the real world.

 

The clue for that detailed command is literally..... 'detail'

 

You can also obtain some other information via cdp such as the capabilities of the connected device and the platform.

 

On a local device I would recommend some commands such as:

 

show inventory - you'll find the model name and serial numbers

 

show version - you won't only find the IOS version but also things like memory, capacity in the flash, the boot image it's using, other technical information like the base mac address used in varies of protocols (depending on the platform that is)

 

Remember that with the IOS and other cisco platforms you can filter specific commands to only grab lines which include/exclude words.

Instead of going though a ton of info, you can always use something like

 

#show version | include IOS

[leadeater]

1 hour ago, Jay Deah said:

EDIT: removed commands so you cant cheat on your homework

lol nice 

[Theminecraftaddict555]

8 hours ago, Jay Deah said:

cisco discovery protocol and Link layer discovery protocol are what you want to use

 

EDIT: removed commands so you cant cheat on your homework

 

8 hours ago, BSpendlove said:

As above, cdp and lldp would be a good start. If you are running purely all cisco then don't bother with lldp.

 

You'll be able to find which device connects to what, local and remote interface that connects them together, management IP address, the cisco ios version for each device in your local cdp table. If you have the management IP then go ahead and try to connect via telnet or ssh, see if the username/password/enable is the same as the device you can access, that is definitely something I would try in the real world.

 

The clue for that detailed command is literally..... 'detail'

 

You can also obtain some other information via cdp such as the capabilities of the connected device and the platform.

 

On a local device I would recommend some commands such as:

 

show inventory - you'll find the model name and serial numbers

 

show version - you won't only find the IOS version but also things like memory, capacity in the flash, the boot image it's using, other technical information like the base mac address used in varies of protocols (depending on the platform that is)

 

Remember that with the IOS and other cisco platforms you can filter specific commands to only grab lines which include/exclude words.

Instead of going though a ton of info, you can always use something like

 

#show version | include IOS

 

16 hours ago, legacy99 said:

I feel if you are in a educational environment, you already have the answers to what you want/need... 

 

15 hours ago, mortino said:

There is a program specifically for this but it is expressly forbidden for any use other than personal. I'm guessing for legal reasons.

Just to let you guys and gals know, our instructor states that we can use online resources/extra software to help us out and our neighbors/classmates too

 

Also I realize that my default gateway router also has switchports too? I believe that means it is a layer 3 switch or multilayer switch?

[Lurick]

11 minutes ago, Theminecraftaddict555 said:

Just to let you guys and gals know, our instructor states that we can use online resources/extra software to help us out and our neighbors/classmates too

 

Also I realize that my default gateway router also has switchports too? I believe that means it is a layer 3 switch or multilayer switch?

So are you on an edge device and need to see up and then out to the rest of the network? Or are you on the core device and need to see all connected devices?

 

It most likely is an L3 switch, pop a show version here or show mod/inv/plat (one of those will work ) and I can tell you for sure if you want, or just google it

[BSpendlove]

1 hour ago, Theminecraftaddict555 said:

 

 

 

Just to let you guys and gals know, our instructor states that we can use online resources/extra software to help us out and our neighbors/classmates too

 

Also I realize that my default gateway router also has switchports too? I believe that means it is a layer 3 switch or multilayer switch?

Cool stuff ey? It doesn't always mean your connected onto a l3/multilayer switch since you can also get Ethernet modules for a router that are switch ports. Although if you have a look at the number of physical interfaces in either:

 

#show version or #show ip int brief

(I like the output of show ip int brief even if they are just switch ports!)

 

Most likely that it would be the case, or even getting used to the series of switches/line ups when you #show inventory or #show version.

[Lurick]

7 minutes ago, BSpendlove said:

Cool stuff ey? It doesn't always mean your connected onto a l3/multilayer switch since you can also get Ethernet modules for a router that are switch ports. Although if you have a look at the number of physical interfaces in either:

 

#show version or #show ip int brief

(I like the output of show ip int brief even if they are just switch ports!)

 

Most likely that it would be the case, or even getting used to the series of switches/line ups when you #show inventory or #show version.

Don't forget, it can be different on different platforms because why have uniformity

Show int ip brief - ASA

Show ip int brief - L3 only interfaces (NX-OS)

Show int brief - L2 interfaces (NX-OS)

 

 

Then there are pipe commands too which are always enjoyable

show ver | i image - works on most platforms and is one of my go-to commands

show logg log | last 50 works on NX-OS and a few other platforms to get the last X number of lines, I use it mostly for logs

show run | beg (blah) - Really nice if you know where you want to start like at a specific interface number

There is also grep, append, exclude, include, format, redirect, append, begin

[Theminecraftaddict555]

8 hours ago, Lurick said:

So are you on an edge device and need to see up and then out to the rest of the network? Or are you on the core device and need to see all connected devices?

 

It most likely is an L3 switch, pop a show version here or show mod/inv/plat (one of those will work ) and I can tell you for sure if you want, or just google it

that is about right. I am on a Workstation trying to find out about all of my devices

[Lurick]

9 hours ago, Theminecraftaddict555 said:

that is about right. I am on a Workstation trying to find out about all of my devices

Ah, if you can SSH then a ping sweep from one of the devices will get you where you need to go. Plus the show commands

[Theminecraftaddict555]

On 2/28/2018 at 6:30 AM, Lurick said:

Ah, if you can SSH then a ping sweep from one of the devices will get you where you need to go. Plus the show commands

Before i move on to other questions, do you have any tips on finding remote dns server specs (windows, linux etc.) and find what they are connected to? The best information i was able to get from them was from spicework's ip address scanner and spiceworks agent. They only told the OS and address of the server but nothing else.

[Unhelpful]

On 2/27/2018 at 2:04 PM, Lurick said:

Don't forget, it can be different on different platforms because why have uniformity

Show int ip brief - ASA

Show ip int brief - L3 only interfaces (NX-OS)

Show int brief - L2 interfaces (NX-OS)

 

 

Then there are pipe commands too which are always enjoyable

show ver | i image - works on most platforms and is one of my go-to commands

show logg log | last 50 works on NX-OS and a few other platforms to get the last X number of lines, I use it mostly for logs

show run | beg (blah) - Really nice if you know where you want to start like at a specific interface number

There is also grep, append, exclude, include, format, redirect, append, begin

Also show ip int brief on many(all?) ISR's.

[Lurick]

6 minutes ago, JoeyDM said:

Also show ip int brief on many(all?) ISR's.

Oh, yes, since ISRs are IOS or IOS-XE which generally follows the same convention

 

 

23 minutes ago, Theminecraftaddict555 said:

Before i move on to other questions, do you have any tips on finding remote dns server specs (windows, linux etc.) and find what they are connected to? The best information i was able to get from them was from spicework's ip address scanner and spiceworks agent. They only told the OS and address of the server but nothing else.

Maybe LLDP if the client NIC supports that could give you some more information.

[AngryBeaver]

I would make a bootable kali linux usb or run it in a VM and load up Nscan. Then again I don't think you are taking THIS type of class.

[Theminecraftaddict555]

On 3/1/2018 at 11:59 AM, Lurick said:

Oh, yes, since ISRs are IOS or IOS-XE which generally follows the same convention

 

 

Maybe LLDP if the client NIC supports that could give you some more information.

Never mind, we were authorized to remote into them as long as we don't touch anything

On 3/1/2018 at 11:50 AM, JoeyDM said:

Also show ip int brief on many(all?) ISR's.

 

So I'm getting a decent start on the project, but i have some silly questions. Would two separated subnets/WAN (with same masks) on a router reaching to the same dest. router be considered 2 subnets? For example, I have 172.27.43.0 /30 and 172.27.42.0 /30 connecting to the same dest. router and both have ports bundled in etherchannel.

 

Also I realize that some of my router ports connects to "layer 2 etherchannel?" Does that mean that those ports are connected to layer 2 switches but just bundled into etherchannel? (take note that the layer 2 switches DO NOT have ip addresses according to my instructor)

 

I also realized that when i telnet into "supposedly" 2 different routers, they end up having the same specs and configuration + name? Ex: I telnet into Core-east router and then into Core-west router, I see that they have the same name and configuration identical to each other. (stacked routers perhaps?)

 

Also here is my strategy so far...

1. Show cdp neighbors to reveal directly connected nearby devices

2.show ip route to reveal network addresses about those nearby devices marked with a C (directly connected)

3.  SHOW RUN to reveal which port is connected to what by looking at the description of each etherchannel/int. port. (they tell what is connected to what, which is good documentation)

4. do the same as #3 but also find any available vlan info.

[Lurick]

8 hours ago, Theminecraftaddict555 said:

-snip-

Primary and backup WAN links are the first thing that comes to mind. Coupled with redundant links incase something happens to one you'll still have primary path access.

 

They don't have to be going to L2 switches, just L2 ports on the connected switches themselves.

 

Stacked is one possibility but the other is a VRF to desperate Ease and West. VRFs work at Layer 3 so I would have to assume these are L3 links and ports, correct?

 

Try "show lldp neighbor" or "show cdp neigh detail" as well

[Mikensan]

If you can use any resources, then you can do something as simple as a netcat to scan an IP range and maybe each device for port 22. Or you could use nmap to achieve the same thing, but you can be a little more creative it device discovery. If you're stuck with a windows box, then zenmap would be the easiest.

 

If you're given the task to discover devices on the network, I'd hope there was some reading/lecture leading up to this lab?

[Theminecraftaddict555]

17 hours ago, Lurick said:

Primary and backup WAN links are the first thing that comes to mind. Coupled with redundant links incase something happens to one you'll still have primary path access.

 

They don't have to be going to L2 switches, just L2 ports on the connected switches themselves.

 

Stacked is one possibility but the other is a VRF to desperate Ease and West. VRFs work at Layer 3 so I would have to assume these are L3 links and ports, correct?

 

Try "show lldp neighbor" or "show cdp neigh detail" as well

So what you mean is that they are connected to L2 ports on L3 switches?

 

The description of the east and west does state something about VRFs. Could you possible explain briefly how that works and how it looks in a topology?

[leadeater]

On 3/2/2018 at 6:36 AM, Theminecraftaddict555 said:

Before i move on to other questions, do you have any tips on finding remote dns server specs (windows, linux etc.) and find what they are connected to? The best information i was able to get from them was from spicework's ip address scanner and spiceworks agent. They only told the OS and address of the server but nothing else.

Use a scan tool like NMAP, it'll tell you what ports and services are open

[Lurick]

7 hours ago, Theminecraftaddict555 said:

So what you mean is that they are connected to L2 ports on L3 switches?

 

The description of the east and west does state something about VRFs. Could you possible explain briefly how that works and how it looks in a topology?

Correct.

VRF stands for virtual routing and forwarding. It allows multiple routing instances to exist on the same box so that the same IP addresses can exist on the same box but will be in two different routing tables. Think of it like a townhouse, they share the same overall building but are divided up so multiple people can live there at the same time. The major drawback is if you want to use the same VLAN for two different groups, you can't, since the VRF can only be configured on the SVI you would need to create two VLANs and two SVIs, or buy another switch which can get expensive.

 

Obviously it's not a perfect solution and there are security issues and concerns around it. Not to go too far down the rabbit hole but there are also VDCs (Virtual Device Contexts) which are like VRFs on steroids in that it's a completely separate device context and it just resides on the same hardware. You can use the same VLANs, same SVIs, same IP addresses, etc. and it meets HIPPA and other government requirements in that traffic is completely isolated and can't be leaked between VDCs without physical links to allow that. VDCs exist on data center gear only, as far as I'm aware, such as the Nexus 7000 platform.

 

 

From a topology perspective it would be the same box but with two or more SVIs (L3 VLAN interfaces) configured along with a "vrf member blah" or similar command, on each SVI.

 

 

 

Edit:

Just to clarify, there are many other ways to segment off hosts and stuff but those are just a couple of the most common for route segmentation and whatnot.

[Theminecraftaddict555]

7 hours ago, Lurick said:

Correct.

VRF stands for virtual routing and forwarding. It allows multiple routing instances to exist on the same box so that the same IP addresses can exist on the same box but will be in two different routing tables. Think of it like a townhouse, they share the same overall building but are divided up so multiple people can live there at the same time. The major drawback is if you want to use the same VLAN for two different groups, you can't, since the VRF can only be configured on the SVI you would need to create two VLANs and two SVIs, or buy another switch which can get expensive.

 

Obviously it's not a perfect solution and there are security issues and concerns around it. Not to go too far down the rabbit hole but there are also VDCs (Virtual Device Contexts) which are like VRFs on steroids in that it's a completely separate device context and it just resides on the same hardware. You can use the same VLANs, same SVIs, same IP addresses, etc. and it meets HIPPA and other government requirements in that traffic is completely isolated and can't be leaked between VDCs without physical links to allow that. VDCs exist on data center gear only, as far as I'm aware, such as the Nexus 7000 platform.

 

 

From a topology perspective it would be the same box but with two or more SVIs (L3 VLAN interfaces) configured along with a "vrf member blah" or similar command, on each SVI.

 

 

 

Edit:

Just to clarify, there are many other ways to segment off hosts and stuff but those are just a couple of the most common for route segmentation and whatnot.

So the core-east and core-west routers would be just SVIs on the same router?

[Lurick]

2 minutes ago, Theminecraftaddict555 said:

So the core-east and core-west routers would be just SVIs on the same router?

Yah, with the vrf command on each.

[Theminecraftaddict555]

1 minute ago, Lurick said:

Yah, with the vrf command on each.

Oh ok, for example let's say I have another router that had 2 connections to the core-router. each connection connected to the east-core while the other connected to the west-core. It would just be saying that the router connections are going to the same router but just entering the same dest. through virtual interfaces?