7 Ways to Slam Dunk Your Next Network Assessment Using Auvik

So, you’re an MSP that’s recently won a new client. As part of the deal, you’ve promised a network assessment: a look at the overall network to determine if there are any glaring issues that will interfere with day-to-day operations. The topology is vast, spanning multiple sites and dozens of switches and firewalls. How do you act quickly? And what should you be looking for?

Here are 7 network assessment tasks Auvik can help you easily complete. Armed with this information, let’s land you some quick wins with your new client and set the stage for a positive working relationship.

See what’s out there

Having worked with hundreds of MSP partners, I still smile when I hear that Auvik has been able to discover devices a partner (and even the client) had no idea were out in the wild. What sort of things has been found before?

• Unmanaged switches plugged into employee cubicles and used to connect unauthorized devices
• Private Access Points so users could bypass corporate Wi-Fi
• A series of switches in the ceiling of a building that the client had completely forgotten were still active
• Unauthorized wireless cameras (!!!)

How to see what’s out there with Auvik

In Auvik, the Inventory & All Devices grid shows you all devices currently or recently connected to the network. Where it’s available, data from protocols like SNMP, WMI, and VMware automatically classify devices.

Important biodata about your network devices is also gathered automatically, including serial numbers and firmware versions.

Pro tip: Such information is invaluable during a compliance audit to make sure your gear is running the latest firmware. In one case, a partner found a bug in a switch vendor’s firmware and used Auvik to ensure the hundreds of other switches they had deployed were running firmware that had patched the bug.

Ensure enough IP addresses

In an environment with a lot of device churn, it’s critical to ensure there are sufficient IP addresses available to hand out to clients. Without enough IP addresses, clients that are, say, attempting to hop on guest Wi-Fi won’t be able to do so. Existing users may find sessions dropped. You’re network assessment will turn this up pretty quickly.

How to ensure enough IP addresses with Auvik
Auvik models networks as entities. Each entity has a dashboard within Auvik. On a network dashboard, hover your mouse over Inventory. You’ll notice a tab called Devices. Click on it.

From the resulting grid, sort the IP address(es) column from low to high. This gives you a list of all the IP addresses currently in use for the subnet. Using this data, you can determine how many IPs are in use.

Pro tip: You can apply a filter to see only devices that are currently up.

If you’re averaging 80-90% utilization of available IPs, you may need to consider a few different strategies:

• Increase the DHCP address pool. Through classless interdomain routing, you have the ability to define subnets of varying sizes and scopes. Decreasing your subnet mask increases the number of IP addresses available.
• Decrease your DHCP lease time. In environments like coffee shops, reserving an IP for more than 60 minutes is wasteful, considering your average customer (and their devices) won’t be there for more than an hour. The lower the lease time, the more quickly IPs are returned to the available pool.
• Enable MAC address spoofing protection on your devices. This helps prevent DHCP starvation attacks.
• Identify broadcast storms

A storm of broadcast packets is sometimes expected behavior—for example, when a network is brought back online after an outage and all clients are attempting to negotiate an IP address. But in normal cases, having a continuous stream of broadcast packets in a network segment or from a specific host is suspicious.

Without deep network visibility, you may only be tipped off by angry users or by randomly looking at interface counters on your switches. But in Auvik there are multiple ways to identify broadcast storms.

How to identify broadcast storms with Auvik

Get an alert on storms.

There’s a preconfigured Auvik alert for when a significant percentage of a switch port’s traffic is broadcast as opposed to unicast or multicast. You can lower this threshold in sensitive or troubleshooting scenarios to be more proactive and in the know.

Use the troubleshooting view to see if a broadcast storm may have caused any other events within the same timeframe, such as a spike in CPU on the host or an adjacent switch. Navigate to a device or interface dashboard and look at the Device Packets or Interface Packets to get an idea of the ratio between broadcast, multicast, and unicast packets.

Ideas for reducing broadcast storms

• Storm control and equivalent protocols allow you to rate-limit broadcast packets. If your switch has such a mechanism, turn it on.
• Ensure IP-directed broadcasts are disabled on your Layer 3 devices. There’s little to no reason why you’d want broadcast packets coming in from the Internet destined to a private address space. If a storm is originating from the WAN, this will shut it down.
• Split up your broadcast domain. Creating a new VLAN and migrating hosts into it will load and balance the broadcast traffic to a more acceptable level. Broadcast traffic is necessary and useful, but too much of it will eventually lead to a poor network experience.
• Identify duplicate IPs

A duplicate IP address is one associated with more than one MAC address. When this occurs, an ARP lookup returns multiple MACs and this can cause problems. For example, if a desktop has two ARP entries for an IP address that’s supposed to be for a printer, the packet may not reach the intended printer.

How to identify duplicate IPs with Auvik

Auvik amalgamates the ARP tables of each device and presents them in a global, searchable grid. You can also retrieve the ARP table for a specific device. Auvik’s Network Evidence tab also allows you to view the Layer 2 and 3 information that one device has about another.

Here are two things to look for in Auvik to help identify duplicate IPs:

• When you search for a specific IP address within Inventory > All Devices or on the map, multiple devices are returned.
• You see duplicate IPs in the global ARP table for the Layer 3 device (firewall, router, or Layer 3 switch) that routes traffic to and from the subnet on which you’re investigating (Debug > ARP / FDB)
• Solve the dreaded ‘My network is slow!”

This is probably the most loaded complaint you can hear from a network user. There are so many potential root causes for a user experiencing network slow-downs. But typically, we find MSPs eventually pinpoint the root cause to one of three things:

• The Internet connection is flaky and intervention from the ISP is required.
• The client’s users are maxing out the Internet connection.
• There are lower-level network issues, such as broadcast storms and duplicate IPs.

How to solve ‘My network is slow’ with Auvik

A common complaint you’ll hear during an initial network assessment is. Using Auvik’s Internet Connection Check feature, you can automatically determine when a WAN link became unresponsive (stopped responding to pings), and have quantifiable metrics on round trip time (RTT) and packet loss to present to your client’s ISP.

You can find information on your discovered Internet Connections by heading over to Inventory > Services > Internet Connection Check.

Unfortunately, the majority of Internet connections out there today are asymmetric—their downlink speeds are much larger than the uplink. But the downlink depends greatly on the uplink for TCP or control-based protocols like DNS, which are fundamental for a good network experience.

Say an ISP has provisioned an office link for 50Mbps down and 10Mbps up. It’s pretty easy for a group of users to max out that upload link by uploading a large file or through HD video conferencing.

Auvik can show you an interface’s utilization for a given time period. Here’s an example from a Cisco ASA’s WAN interface.

In our example of the ISP’s link being a 50/10 Mbps connection, you can see we’re not maxing out our connection. If we are, there are two avenues you could take:

• Determine which user(s) and protocol(s) are taking up the most bandwidth. This is most elegantly done by collecting flow statistics at the network perimeter.
• If additional OpEx is available, upgrade the WAN link to reflect increased network usage.
• Find physical and logical loops

Loops can be found within networks at different layers. A Layer 2 loop can be caused by incorrectly configured trunk links between switches or a physical loopback link on the same switch (think of an Ethernet cable plugged into two ports on the same switch). This leads to broadcast and multicast storms that can take down your network.

A Layer 3 routing loop occurs when packets keep getting routed between two or more routers.

How to find loops in Auvik

Auvik does it for you. Auvik automatically alerts you to Layer 2 loops if you have spanning tree enabled on your core (MDF) and access (IDF) switches.

Auvik automatically alerts you on Layer 3 loops as well.

• Identify stale or incorrect configurations

When a network has changed hands or in a network with a lot of moving parts, it’s common to have stale configs. Many times when an admin comes across a line of code they suspect to be stale, they’ll leave it untouched, worried they’ll break something if they change it.

What’s more, due to user error or ignorance, devices may not be properly configured in the first place. As an admin, how can you safely remove stale configs for routes and port configurations and check for current misconfigurations?

How to identify configuration problems in Auvik

Since Auvik combs through the configurations of each of your devices, it automatically begins to determine whether applied configurations have corresponding entries on each segment of the network. There are a number of canned configuration-related alerts available.

For example, the VLAN with no interfaces alert is triggered when a defined VLAN isn’t associated with any interfaces. Chances are the VLAN was decommissioned but the definition wasn’t deleted.

Or consider a misconfiguration scenario: The previous network administrator had tried to set up a link between two switches. This would conventionally be configured as a trunk link. But on the downstream switch, the admin configured the port as type access. This would lead to the link operating incorrectly and being unable to establish two-way traffic.
Imagine walking into a new site and being able to figure that out in a few minutes just by turning Auvik on!

At Auvik, we strive to wow our partners. And we want our partners to be able to wow their customers. Assessment features like the ones we’ve just discussed set the stage for strong and mutually beneficial engagements with your customers.