Monitoring Cisco switches, routers, WLAN controllers and access points
Your organization uses Cisco network equipment including Cisco switches, routers, WLAN controllers, and access points. You're looking for a comprehensive solution to monitor these in the Splunk platform or in Splunk Enterprise Security, with the ability to easily ingest and visualize data relating to these devices.
Data required
Solution
The Cisco Networks Add-on for Splunk Enterprise sets the correct source type and fields used for identifying data from Cisco devices across multiple platforms (IOS, IOS XE, IOS XR, NXOS, and wireless LAN controllers) using Splunk Enterprise or Splunk Cloud Platform.
Devices supported are:
- Cisco Catalyst series switches (2960, 3650, 3750, 4500, 6500, 6800, 7600 etc.)
- Cisco ASR - Aggregation Services Routers (900, 1000, 5000, 9000 etc.)
- Cisco ISR - Integrated Services Routers (800, 1900, 2900, 3900, 4451 etc.)
- Cisco Nexus Data Center switches (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000 etc.)
- Cisco Carrier Routing System
- Cisco IOS-based devices (Metro Ethernet, Industrial Ethernet, Blade Switches, Connected Grid etc.)
- Cisco Access Points
- Cisco WLC - WLAN Controllers
The add-on can be used together with the Cisco Networks App for Splunk Enterprise to access dashboards, data models and logic for analyzing this data in the Splunk platform. This gives you the necessary visibility into your network in order to effectively monitor for any potential security breaches or threats and efficiently troubleshoot any network performance or IT issues.
The app is fully Common Information Model (CIM) compliant and can also be used with Splunk Enterprise Security for advanced security analytics.
Installing the Cisco Networks add-on and app
Install the Cisco Networks Add-on on your search head and indexers or heavy forwarders. The Cisco Networks App should be installed on your search head.
For more installation information, see the Splunkbase pages for the add-on and the app.
Data and visualizations
Using the Cisco Networks app, you can start investigating devices at a high level looking at events by severity to see which devices specifically are generating the most critical or concerning events. Drilling down further, you can identify which types of events predominantly make up the severity alerts you see on those devices, further investigate what else might be occurring on the devices, and determine whether there could be a security or network performance issue present in the environment. Having all of this information in one place makes it easier to quickly identify and remediate these issues.
Opening the app's Overview page, you can see a breakdown of Syslog messages by severity. If something is at the emergency or alert level, you can quickly identify those events by clicking on the corresponding bar on the bar chart to drill down.
You can also information on port flapping, which hosts are reporting in, general diagnostic messages, and charts showing top and rare mnemonics.
Troubleshooting
Let’s say you’re seeing a lot of emergency or alert level messages in the severity distribution. In that case, you can navigate to Inventory > Devices to get a more granular view of the severity messages by device.
In the screenshot below, there are a lot of high severity events happening on the device, so you can start investigating to see if any recent configuration changes have been made.
Go to Audit > Configuration Change Transactions and enter your device hostname/IP in the Host filter (for example, 127.0.0.1). Here you can monitor and audit any configuration changes users have made. From a troubleshooting perspective, configuration changes can sometimes be the cause of a network issue, and this allows you to easily identify who did what and when. This is also important for security because any unauthorized or unexpected changes could indicate potential security breaches or compliance violations.
As you investigate this host, it might also make sense to take a look at any authentication events happening on it. Go to Security > Authentications to do this. In the screenshot below, you can see authentication events like top connection points and heavily trafficked ports, which can be a sign of a DDOS attack or malware propagation. You can also see all the authentication transactions and identify any authentications happening on the device you're investigating, as well as other devices.
You might also want to review Security Access Control Lists. Navigate to Security > Access Control Lists to see information like protocols by action, top blocked ports, and dropped or rate-limited packets. If you see a lot of traffic to a blocked port, for example tcp://22 as seen below, that could be an indication of a scanning or intrusion attempt. Alternatively, if that is expected traffic and that port is not supposed to be blocked, you can see that here and make adjustments.
You can also see a breakdown of activity by location. So if a lot of blocked or allowed activity is coming from an unexpected location, you can quickly identify that and see which devices that activity is coming from.
You can further investigate alerts at the switching level by navigating to Switching > Switching Dashboard.
Monitoring link connects can help you detect if any unauthorized devices are being plugged into the network, which can help prevent a security incident or breach. On the IT side, understanding when links are connected can help monitor the network load and ensure traffic is being evenly distributed across available links, which in turn prevents a network performance issue from occurring.
You can also monitor for stacking events. When a switch is joining or leaving a stack, that can be an indication of a hardware failure, configuration error, or physical connectivity issue, helping you minimize your downtime by detecting these problems early.
As you continue investigating these devices, it might also make sense to check them from a performance perspective. Here, you can see performance indicators like temperature and power which can help you ensure nothing is overheating or over consuming. If you don’t see any spikes in temperature or power consumption, you can rule that out as a possible cause of any network performance issue. Continuously monitoring these metrics also ensures longevity of the equipment.
Next steps
There are many more dashboards in the app you might want to check out, including:
- Time Drift
- DHCP and ARP Inspection
- Spanning Tree and MAC Flapping
- CDP Events
- Wireless Dashboard
To see more of the app's functionality in action, watch the Cisco Networks Splunk App video.
You can also check the Help page in the app which contains all the configuration parameters needed on the network devices to populate all panels.