Evil_TTL> show | s

Network Audit

Category:Design and Architecture

Collecting network information:

  • Device type
  • CPU type
  • Memory size and utilization
  • Flash size
  • OS Software version
  • Configuration
  • Routing tables // If it is a router or L3 switch
  • Interface types
  • Speeds
  • Average link utilizations
  • Unused interfaces, modules, slots

You can use NBAR to do traffic analysis and arrange the gathered information neatly, for example:

Application №3:

  • Description: Accounting software
  • Protocol: TCP port 5021
  • Servers: 2
  • Clients: 90
  • Scope: Campus
  • Importance: High
  • Avg. rate: 60 Kbit/s with 5-sec bursts to 300 Kbit/s


From a CCDA book:

The network audit should provide the following information:
¦ Network device list
¦ Hardware models
¦ Software versions
¦ Configuration of network devices
¦ Auditing tools output information
¦ Interface speeds
¦ Link, CPU, and memory utilization
¦ WAN technology types and carrier information

When performing manual auditing on network devices, you can use the following commands
to obtain information:
¦ show tech-support
¦ show processes cpu (provides the average CPU utilization information)
¦ show version
¦ show processes memory
¦ show log
¦ show interface
¦ show policy-map interface
¦ show running-config (provides the full router or switch configuration)

Network Checklist
The following network checklist can be used to determine a network’s health status:
¦ New segments should use switched and not use dated hub/shared technology.
¦ No WAN links are saturated (no more than 70 percent sustained network utilization).
¦ The response time is generally less than 100ms (one-tenth of a second); more commonly, less than 2ms in a LAN.
¦ No segments have more than 20 percent broadcasts or multicast traffic. Broadcasts are sent to all hosts in a network and should be limited. Multicast traffic is sent to a group of hosts but should also be controlled and limited to only those hosts registered to receive it.
¦ No segments have more than one cyclic redundancy check (CRC) error per million bytes of data.
¦ On the Ethernet segments, less than 0.1 percent of the packets result in collisions.
¦ A CPU utilization at or more than 75 percent for a 5-minute interval likely suggests network problems. Normal CPU utilization should be much lower during normal periods.
¦ The number of output queue drops has not exceeded 100 in an hour on any Cisco router.
¦ The number of input queue drops has not exceeded 50 in an hour on any Cisco router.
¦ The number of buffer misses has not exceeded 25 in an hour on any Cisco router.
¦ The number of ignored packets has not exceeded 10 in an hour on any interface on a Cisco router.
¦ QoS should be enabled on network devices to allow for prioritization of time-sensitive or bandwidth-sensitive applications.

By privilege15