How To Reverse Engineer A Network

dppagcdppagc Posts: 293Member
Hi everyone,

Is there any way for someone to "reverse engineer" a network?
I am looking through thousands and thousands of lines of config and I don't even know how to start off.
Especially those router ospf 1 network x.x.x.x commands.

Comments

  • negru_tudornegru_tudor Senior Member Posts: 473Member ■■■□□□□□□□
    Start off simple I guess:

    - use CDP/LLDP and Telnet/SSH to draw a network topology
    - use "show ip int brief" on each device to get some info on connected interfaces etc.
    - use the "show ip prot" command to see what routing protocols you've deployed
    - look for L2 trunks/etherchannels between switches and try to draw up a STP diagram (root ports, designated, blocking etc).

    Then you could go more deep and look for tunnels, ACLs, QoS etc.

    I don't think there's a "one way" to do things. Just start off with whatever you're most comfortable with and build upon that I guess.
    2017-2018 goals:
    [X] CIPTV2 300-075
    [ ] SIP School SSCA
    [X] CCNP Switch 300-115 [X] CCNP Route 300-101 [X] CCNP Tshoot 300-135
    [ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking)
  • HondabuffHondabuff Posts: 667Member ■■■□□□□□□□
    dppagc wrote: »
    Hi everyone,

    Is there any way for someone to "reverse engineer" a network?
    I am looking through thousands and thousands of lines of config and I don't even know how to start off.
    Especially those router ospf 1 network x.x.x.x commands.


    We will assume that you are a server guy and your network guy quit or got fired. Take tudors advice or download a trial version of Netbrain and run it on your network and see what the topology comes out as. Any Jr. Network Engineer should be able to complete this task with out too much trouble. Mapping out unknown networks is as much fun as hunting for a burnt out bulb in a strand of Christmas lights. Document, Document, Document!!
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • mbarrettmbarrett Posts: 397Member ■■■□□□□□□□
    Documentation comes to mind. Or start talking to people.
    If you are truly running 100% blind there are some basic assumptions you can make based on your organization, offices, everyone who "should" have service. Work backwards off of what you already know.
  • networker050184networker050184 Posts: 11,962Mod Mod
    When doing something like this I prefer to start at a much higher level than jumping in the configs. Learn "what" the network is doing before "how" its being done.
    An expert is a man who has made all the mistakes which can be made.
  • Legacy UserLegacy User Posts: 0Unregistered / Not Logged In ■□□□□□□□□□
    Is there any documentation/diagrams of the network? Issuing the show commands mentioned by negru_tudor would get you started but it will be a pain to get the high level view without a visual representation of the network. Try Netbrain.. I haven't used it but based on the ads I seen should be able to map out your network.
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    Visio is your friend when other tools are unavailable (NetBrain is awesome). NMap can give you a start as well. Your premise question to many of us would be: Yes, easily once you have some practice doing it.

    - b/eads
  • dppagcdppagc Posts: 293Member
    I am not a server guy.
    Unfortunately, the team taking over says that the old documentation may be wrong.
    I don't know how to start with thousands of line of config.
  • networker050184networker050184 Posts: 11,962Mod Mod
    As I said, don't start with the config. Start with a general understanding of what the network is doing. If you know whats going on then the config will become more clear.
    An expert is a man who has made all the mistakes which can be made.
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    dppagc;

    Your documentation is "wrong" or out of date everytime you make the slightest change to the network. No worries there. Start by identifying your Class address(es), ping sweep those and start drawing. You'll probably be shocked how complex your network really is in short order.

    Don't worry. Without an automapper running your documentation already sucks. Its a matter of coming to terms with not knowing everything.

    - b/eads
  • daveybdaveyb Posts: 28Member ■□□□□□□□□□
    beads wrote: »
    Start by identifying your Class address(es),

    Your what now? Classful addressing was deprecated over 20 years ago.
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    Perhaps daveyb misunderstands the initial concept here. Allow me to be a bit more pragmatic for you. Start by understanding what addressing your "supposed" to be using internally. I've seen far too many 10.0.0.0/8 addresses used in enterprise networks, even small SMB's where a series of class B's or C's would be much more helpful. Does what your seeing match what your actually using or not? Oft times they have only a little in common with "what they should be doing" DHCP is another one service that gets readily abused and needs to be reigned in so look there.

    Sorry, daveyb with small letters that I wasn't clear enough. What did you think I meant?

    Pedantic lately?

    - b/eads
Sign In or Register to comment.