I am always looking for good ideas, so I'm curious to hear how everyone documents wiring closets in their organization. Here are my steps:

1. I build a spreadsheet with the following columns: Patch Panel ID; Switchport Int; Mac Address (of device attached); description.

2. I input Mac Address associated with each switchport (we'll assume the closet has only a single 24 port 2960). I do this by issuing the "show mac-address-table dynamic interface f0/x" command.

3. Next step is to add the item description: I can do that in at least 2 ways:
A. Use Angry IP to map DNS name to Mac-Address. This method has not been 100% accurate. Our Windows DNS servers don't release their stale records fast enough.
B. The more reliable way for me, in our organization, is to use Altiris Deployment to match Mac Address to device ID.

4. Once I have a valid description, I trace the cable from the Switchport to the Patch Panel. I add the panel ID to the spreadsheet in addition to writing down the room number on the panel (most of our wiring closets are unlabeled).

5. Next step (if applicable), pull all the cables out (this must be done at night) and place phones, printers, cameras, access points in first ports. Then the clients. I use green patch cables for phones, yellow for printers, and red for cameras/access/points/servers, or other non-standard nodes. Blue patch cables are used for PCs.

Documentation really depends on a few things:

1. How much are you responsible for fixing? If you're only on the hook for the network equipment and not the end devices using that equipment then it might not be useful to spend the time mapping out what is plugged into each switch port.

2. How big is the network you're managing? A really large campus network with 50 or so IDF's and hundreds of switches would make documenting every single thing quite a daunting task. On the other hand, a small network with 5 or so IDF's and 10 switches would be much easier to do.

3. Do end-devices move around? If you're talking about company-issued laptops moving from area to area then documenting what is connected to each switch port would be a waste of time since that would change over time. The only thing you could really document would be the hard-wired stuff (printers, etc.) that don't move.

4. Using DHCP on your network? Then documenting MAC to IP address tables also might not be a good use of time since that will change over time (depdending lease times, etc.).

To map a MAC address to an IP address I use the following procedure:

- Log into the switch and grab the MAC off the switch port.
- Log into the router for that subnet/VLAN and check the arp table to get the IP associated to that MAC address (use the show arp | inc <mac-address> command).

For the MAC address you'll often have to change the style around from switch to router. The switch might give the MAC in the format xx-xx-xx-xx-xx while the router has it in xxxx.xxxx.xxxx.

I use CatOS/IOS at work so have to make changes as needed here and there.

A good idea is to use a label-maker to label each end of a cable along the path. This will help in tracing out/troubleshooting. One downside is you have to keep the labels up-to-date and accurate. Once you allow the labeling to slack-off you really can't rely on them anymore.

Dave

Hi Dave,

Thanks for taking the time to write. It's nice to get questions like this.

1. I work for a smaller public school system in the US. Small school systems are typically understaffed to the point that responisibilities are sometimes blurred. I'm sure that is the same in many small organizations. I am not directly responsible for the computers, but I am generally responsible for the 130 IP phones and 70+ IP cameras in our 5 school system.

We have two technicians who service the computers; I am responsible for managing them. There was a lot of moving at the beginning of this year. That resulted in lots of lost man hours as the techs dug through our fairly disorganized closets. I think its worth it to me.

2. We have a little less than 20 IDFs. Most are just 1-2 switches, but the 4506 at our high school campus will be a task.

3. End devices rarely move. When they do move, they are moved by our organziation. Laptops moving around our organization will not be a problem since they are wireless. Also, we don't like for teachers to take "their" computer with them when they move from room 605 to room 607. Documenting the network will allow me to more easily apply the mac-address sticky command on all switchports connected to PCs.

4. We do use DHCP. Mapping IP address to Mac Address is merely needed for my initial discovery process.

I think my biggest obstable will be the computer techs themselves. They don't see the need for documentation, so they may move stuff around in the IDFs without any consideration for my organization. I could simply administratively shutdown all unused ports. I understand that is a common security practice anyway.

Thanks,

Something else on my mind:

I currently have all our IP cameras documented. This makes correcting errors very easy. Before I became a network guy, I used to watch our outsourced vendor come in and hunt down individual cameras every time they were onsite. They never stopped to really document the place. Documenting the cameras was one of the first things I did when I started learing my way through the IOS.

Long term, I want to become a network consultant myself (there's no real money to be made in school systems). I think network documentation is something that many IT departments in schools really lack. Most school systems are always in reactive mode. They start figuring out how their network works only when there is a problem. I know that is how I/we operated for years. It's not that they are necessarily lazy; its just they have so many things to do that they cannot do any one thing well. One day I want to go into organizations and help them to get organzied and adopt the practices that I have worked through in my own network.

With that in mind, its definately worth it to me to document my own network. It will give me practice!

Quoted for truth!

And it's not just schools. Our company makes a pretty hefty chunk of change every year with govt contracts and such... yet we have no network guy, and our network documentation was terrible! The last VoIP/Network guy we had was "working on his CCNA". Yeah, he didn't last long. Man I wish I could take his pay since I'm doing his job!

An outstanding idea, IMO. An open, un-used switch port is an open path into your network. If you have CDP going on an access port then someone could plug a laptop in and not even get on the network to find out what type of switch you have, the IP address of that switch, and what version IOS you're using (which means they could try to find known bugs to exploit).

It's my opinion that an un-used switch port should be placed into an un-routed/un-trunked VLAN (not VLAN1 and not a VLAN that is actually trunked off the switch) and CDP should be off on all non-trunk or non-uplink ports. And of course they should be disabled as well.

I like to use VLAN1000 as my Unused_Ports VLAN.

Another good step for helping keep your network secure is looking into using port security. If a device is always going to be plugged into a certain port there is little chance (or need) for the MAC address to change. Set it up so if someone comes along and plugs their home laptop in to get on the Internet the port is disabled and an SNMP trap sent to your network monitoring system.

Like most things people tend to not think about network security until they're having to explain to the public why such-and-such information was compromised.

You're very correct in that documentation is something severely lacking in many network organizations. I've often thought about how fun it would be to start up some sort of consulting business on the side where I'd go in and document an organizations network (Visio's mostly). I've done it before during my internship with a network company while I was finishing up my associate's degree. Fun stuff.

It sounds like you do have a great reason to document in detail the network. Start with the "simple" stuff. Using Visio draw the network out. No need for great detail at first. I generally stop at the access switches. Things like IP phones, wireless AP's, etc. I would go into more detail on other maps. The overview map should, IMO, just show the overall core/distribution/access equipment.

With Visio you can have tabs or even use the overlays. Get a good overview map and then slowly add to it. Plenty of possibilities. To me this is one of the fun parts of networking.

Dave