I'd like to try and build a diagram of my companies network as a learning exercise

Do you guys think this is a bad idea? I have credentials to the routers and switches but I'm not permitted to make any changes unless given instruction to. The network is pretty large and I think that with a few tools (Mainly CDP which is enabled everywhere) I could sketch out the network in due time just to learn how things are setup here. I'm in a tech support role but want to get to networking and they know it here. Basically, all I'd do is map out in my notebook all network devices (servers, switches, routers) except for user workstations and label IP addresses and all. I think it would be a useful exercise for me. Anyone see anything wrong with this? Could something go wrong?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

clarknova

I think you could use:

show cdp neighbors
show cdp neighbors detail

To create a logical diagram of your network. The only thing that might go wrong is that you need to be in global exec mode, just don't make any changes. Just start with your core switch and work your way out I guess.

You could also use Cisco Network Assistant and it will draw it all up for you using CDP information, but where's the fun or opportunity to learn in that?

Zartanasaurus

You aren't going to break anything just doing show commands.
These should get you a nice little map to start working with:

sh cdp neighbor
sh lldp neighbor
sh spanning-tree root
sh vlan br
sh int trunk
sh etherchannel summary
sh int status: List of transceiver types, duplex/speed negotiations.
sh protocols: The fastest way I know to get IP/mask info for interfaces.
sh ip protocols: Routing protocol info.
sh ip int | i line|access_list: Determine if an access-list is applied to a port.
sh ip int | i line|access_list|Internet: Same as previous plus adds IP/prefix length configurations. There's lots of good info under sh ip int like MTU, WCCP, CEF, ICMP that you can add to this command if you want.
sh errdisable recovery is good to see if anyone enabled timers to recover from storm-control, bpdugard and such.

RouteThisWay

It is a good exercise.

I did the same thing when I started my sys admin job- only because there was no documentation so I created a visio diagram of my physical infrastructure.

I am a visual learner so seeing a map of it all really helped lay it out in my mind.

lantech

The only thing I might do before you undertake this is to ask for permission. Doing this might get a few people nervous that you are trying to hack into the network from the inside.

CodeBlox

Zartanasaurus wrote: »

You aren't going to break anything just doing show commands.
These should get you a nice little map to start working with:

sh cdp neighbor
sh lldp neighbor
sh spanning-tree root
sh vlan br
sh int trunk
sh etherchannel summary
sh int status: List of transceiver types, duplex/speed negotiations.
sh protocols: The fastest way I know to get IP/mask info for interfaces.
sh ip protocols: Routing protocol info.
sh ip int | i line|access_list: Determine if an access-list is applied to a port.
sh ip int | i line|access_list|Internet: Same as previous plus adds IP/prefix length configurations. There's lots of good info under sh ip int like MTU, WCCP, CEF, ICMP that you can add to this command if you want.
sh errdisable recovery is good to see if anyone enabled timers to recover from storm-control, bpdugard and such.

Those are most of the commands I was planning on using. I'm just in fear that if I run these commands, it may bog down the devices and crash them. Not that we have antiquated or "weak" hardware. It's just, I learned that doing debug commands on production routers is not exactly a good thing to do without filtering them. I have a fear that if I do show ip route I may crash the router as silly as it may sound.

YFZblu

If you're afraid of bogging down the CPU's, why not ask the network engineers what they think?

lordy

The debug commands can be dangerous but the show command listed should be fine.

Go ahead, this will be a good training. While you are at it you should look at creating a Layer 2 and a Layer 3 diagram. Packets do not always take the way you assume with Spanning-Tree enabled

joehalford01

I think this would be a great exercise, you should definitely ask for permission first though - they shouldn't care, but you never know.

NetworkVeteran

CodeBlox wrote: »

I'm just in fear that if I run these commands, it may bog down the devices and crash them.. I learned that doing debug commands on production routers is not exactly a good thing to do

If you were enabling CDP or LLDP, I'd be worried, but just displaying the CDP/LLDP info they already collected? Should be fine. "sh cdp nei" and "sh lldp nei" aren't particularly CPU intensive.

I would be somethat cautious... perhaps log your session from start to end... in case something goes wrong on one of those devices, you don't want them wondering if you caused it.

CodeBlox

CDP is already enabled on all devices so it seems. I feel that I have the knowledge to do this. It's going to take a lot of paper thats for sure. Another question is should I even use paper or some diagramming software (Visio or something similar)? There are a LOT of devices on this network. I also like the layer 2/ 3 diagramming suggestion.

Roguetadhg

Why not use GNS3?

I've had easier time creating/changing a network diagram around with GNS3 than visio. I admit, my experience with visio isn't drawing network diagrams though - racks, floorplans.

jfitzg

lantech wrote: »

The only thing I might do before you undertake this is to ask for permission. Doing this might get a few people nervous that you are trying to hack into the network from the inside.

100% this. Depending management where you work, if you embark on something like this on your own without telling anyone you could get fired and potentially led out in handcuffs. Most likely not but there is more certainly a chance, and better safe than sorry. And who knows, your boss may even be impressed by your initiative/drive to learn!

Hypntick

Heck when you do get permission, if you're thorough enough you may end up with a more accurate diagram of the network than is currently available. Might impress someone higher up.

FloOz

i have been wanting to do this at my current job as well, however, im nervous i may accidently mess something up