Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Tool monitor network

Hello All,

Current network of my company, under router included core switch (cisco 3750) --> middle switch (cisco 3560) --> access switch --> computers/devices

about over 600 computers using IP via DHCP Server. I want to monitor network if there was unauthorized computer/device connect to network.

Could you please told me which software to monitor good on this network system ?.

 

Best regards,

nocandcan

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

NMS = Network Management

NMS = Network Management System. Not a product itself but a type of product.

As far as your original question - it depends. Many products can monitor which devices are connected to your switches.

The bigger question is how do you decide which ones are authorized? Do they need to provide authentication (for example using 802.1x)? How do you account for printers and other devices without an 802.1x supplicant - MAC Authentication Bypass (MAB) is the Cisco solution.

Whichever technical solution you choose to implement your policy, they typically either have their own management tool (like Cisco ISE) or can generate at a minimum syslog messages (like basic 802.1x).

You can send syslog messages off to something as simple as a syslog server running on Linux (free to buy, requires the most know-how and work to use) or a more full-featured product (costs increase according to how much they do and how large your network is).

One popular tool for syslog management is Kiwi Syslog. It's available in a limited freeware version or a licensed version from SolarWinds. (Link) If you move up to the more costly SolarWinds Network Performance Monitor (NPM) it also includes a more full-featured syslog viewer.

12 REPLIES
Silver

hi you can use any NMS

hi you can use any NMS software to monitor the devices you can find the free and license version easily online

New Member

Thanks kaaftabI will test and

Thanks kaaftab

I will test and report the result asap,

 

Best regards,

nocandcan

New Member

Sorry kaaftab,NMS software

Sorry kaaftab,

NMS software mean ? Is that a tool of Solar ?

Thanks.

nocandcan

 

Hall of Fame Super Silver

NMS = Network Management

NMS = Network Management System. Not a product itself but a type of product.

As far as your original question - it depends. Many products can monitor which devices are connected to your switches.

The bigger question is how do you decide which ones are authorized? Do they need to provide authentication (for example using 802.1x)? How do you account for printers and other devices without an 802.1x supplicant - MAC Authentication Bypass (MAB) is the Cisco solution.

Whichever technical solution you choose to implement your policy, they typically either have their own management tool (like Cisco ISE) or can generate at a minimum syslog messages (like basic 802.1x).

You can send syslog messages off to something as simple as a syslog server running on Linux (free to buy, requires the most know-how and work to use) or a more full-featured product (costs increase according to how much they do and how large your network is).

One popular tool for syslog management is Kiwi Syslog. It's available in a limited freeware version or a licensed version from SolarWinds. (Link) If you move up to the more costly SolarWinds Network Performance Monitor (NPM) it also includes a more full-featured syslog viewer.

New Member

I am sorry for my late reply

I am sorry for my late reply.

My network system was distributed in many larger factory areas. In some locations, some computers that user has accessed with administrator right, these are their private computers with some special programs, so I have not controlled admin user of these computers. User can setup IP address and access to my network.

I want to have a tool to monitor and get syslog messages as this case and to manage better my network system.

About Kiwi syslog, this is rather big tool. I would try using this tool to get syslog messages.

About SolarWinds Network Performance Monitor (NPM), I also try using this tool.

Thank you very much.

 

Best regards,

nocandcan

 


 

Hall of Fame Super Silver

If you're concerned about

If you're concerned about users attaching computers with unauthorized locally assigned addresses, you can use DHCP snooping, IP Source Guard and dynamic ARP inspection together to make sure that only devices that have gotten their address legitimately from your DHCP server are allowed to connect.

You can change the port settings to accommodate your static addressed devices such as servers, printers etc.

Here's a link to the configuration guide section on those features. (If you have some very old switches, support might not be there on those devices.)

Hope this helps. Please rate helpful responses.

New Member

I am sorry for my late reply,

I am sorry for my late reply,.

Thank you very much for your reply,

My company of network has often changed computer lay-out, so I can not fix IP and Mac address. And current switch configuration has no configure this.

About Kiwi syslog, the price is rather expensive.

Solarwind NPM requires SQL server, I have no this database.

 

Best regards,

nocandcan

Hall of Fame Super Silver

Well you need to invest in

Well you need to invest in either time (to manually check the syslogs for every device and correlate which are authorized and which are not) or tools (to allow you to automate and correlate some of that information).

If the network changes the computer layout as often as you imply, how would you even know which were the unauthorized computers?

If you truly want zero cost to buy, run Linux on an old spare computer and setup rsyslog to accept remote syslog messages from your access switches. Review and analyze the syslog messages for the ones relevant to a a port becoming active and make an informed decision based on that analysis whether or not it's authorized or not.

New Member

Thank you very much for your

Thank you very much for your reply information.

To my network system, really I have the IP address and Mac address list of the authorized devices, I often manually show Mac Address Table on Cisco switch port, then compare with this list to find out the unauthorized device. This is the passive.

So I want to find and buy a tool / application to do this without doing manually.

About the price, It does not matter but it has accepted because of saving for company but not for me.

 

Best regards,

nocandcan

New Member

Well, then as Marvin said you

Well, then as Marvin said you need some authentication mechanism - not a monitoring tool. 802.1x authentication can be tricky to set up if you have not done it before, but I would concentrate on that to begin with. At least, this seems to be your main concern - reading your first post.

When you got that authentication in place, you can go ahead and syslog from the switches to a central server for authentication errors. Again, as Marvin said, you can get away cheap with some simple linux syslog server, or buy one if you need an easy gui, it´s up to you really and what you are comfortable with.

An nms could look cool in a noc but in many cases those are overrated (depending on your business and design of course). If you got end users connected to access-switches - I´m sure they will call you if they go down :-)

If you want a baseline "light" nms you can alway set up a trap receiver and trap the most common things (could be the same linux server) like env mon (temp, fans etc) uplinks and so on, or syslog...

Good luck!

also check out the already mentioned technologies like dhcp snooping, root guard etc. This will give you some security in the sense of that end users cannot create loops or start their own dhcp etc. You can also set up some id:s in the dhcp that must match with client id:s in order to get an ipadress - I did this with an MS dhcp environment once and it worked quite well, but none of this will really shut unauthorized users from the network, it´s more of a good baseline.

New Member

Dear 1977bjorn"An nms could

Dear 1977bjorn

"An nms could look cool in a noc but in many cases those are overrated (depending on your business and design of course). If you got end users connected to access-switches - I´m sure they will call you if they go down :-)"

Because in my company, some computers that can a personal computer or network system room does not manage admin account, so user can own set up IP address and due to be wittingly or unwittingly happen loop or conflict network.

"also check out the already mentioned technologies like dhcp snooping, root guard etc. This will give you some security in the sense of that end users cannot create loops or start their own dhcp etc. You can also set up some id:s in the dhcp that must match with client id:s in order to get an ipadress - I did this with an MS dhcp environment once and it worked quite well, but none of this will really shut unauthorized users from the network, it´s more of a good baseline"

This is one of the methods to configure for security. I will review and configure more for my network to security.

Now, I was testing with Cacti to monitor.

But if there is any one tool using on Windows interface, this is better.

About the price, If it can be accepted, my company can buy it.

I thank your comments very much,.

And I also thank very much for the ardor support of Marvin.

 

Hall of Fame Super Silver

You're welcome. Please rate

You're welcome. Please rate helpful posts and mark when your question is answered.

Best Regards.

191
Views
0
Helpful
12
Replies
CreatePlease to create content