The switch topology report

Platform

The runZero switch topology report allows you to view a graph of the switches and routers on your network, and see how they are interconnected. It will also show which assets are connected to each switch.

Note that the switch topology report requires a source of layer 2 topology information. This is typically obtained from SNMP, or by connecting runZero to an external information source that provides the information, such as Cisco Meraki.

Generating the switch topology report

Once you have obtained topology data, you can launch the switch topology report.

The initial view shows a graph of network switches, with the links between them shown as lines. Beneath each switch you can see a count of how many known assets were detected as having that switch as their upstream network connection.

You may also see a count of unmapped assets listed. These are assets inferred to exist by MAC addresses which were found in the topology data, but the MAC address isn’t known to belong to any scanned asset. Lists of unmapped MACs are also available in tabular form from the Unmapped MACs report.

At the bottom of the page you will see the total number of assets in the graph, and the total number of unmapped MACs.

The report will attempt to lay out the graph appropriately. You can drag nodes around to make it clearer

Clicking on a node representing a switch will display a pop-up window with more information about it. This includes a link to view the asset details for the switch, and a link to view a list of the unmapped assets.

Double-clicking a node will expand it to show the individual assets connected to it. Clicking an asset will show a pop-up window with a link to view the asset details.

Filtering the switch topology report

The switch topology report is limited in the number of assets it can display. To focus on the set of assets you are interested in, you can use the filter box at the top of the report page. It accepts search strings in the standard runZero search language. For example, you could filter to a given subnet using a search string such as cidr:10.1.6.0/24.

There is also a drop-down to switch quickly between sites.

Additional buttons in the filter box allow you to collapse or expand all of the switch nodes at once.

The Export view button will render a PNG file of the graph as currently displayed, and download it.

Limitations of the switch topology report

The switch topology report may not always be entirely accurate because of limitations on the data runZero can gather.

In the case where there is SNMP data available, runZero will pull a snapshot of the SNMP data from each device when it is scanned, then use that to build topology. However, in many cases a single infrequent snapshot is not enough to show a complete picture in complicated environments, and links may end up missing. In addition, only recent SNMP data is used — if devices have not been scanned in the last 9 days, their SNMP topology data will not be used.

When there is no SNMP information, runZero will attempt to compute topology based on which switch claims to have seen the MAC, which may not always be the nearest access switch. Our algorithm looks for the port with the least number of shared MACs to find best match, but that depends on the switch cache timeouts and how the switch was scanned, so there may be links shown that don’t exist as direct physical connections.

Cisco Catalyst devices

SNMPv3 on Cisco Catalyst devices will not let you pull the bridge port information that we need unless you specifically enable per-VLAN access.

SNMP v3 access to VLAN ARP/FDB tables requires this access rule:

Version Command
Newer IOS: snmp-server group YourGroupName v3 auth context vlan- match prefix
Older IOS: snmp-server group YourGroupName v3 auth context vlan-1 (repeated for every VLAN)

Note that even after this is done, runZero will need to send a separate SNMP request for every VLAN. This can significantly slow down scans with SNMP enabled on a network with many Catalyst devices.

Updated