Discover Connected Devices with Splunk

Splunk helps businesses turn raw data into usable insights. In this case study we have used Splunk to help a major customer to quickly identify devices connected to the network. A simple but elegant dashboard makes that data easy to understand and use.

As a quick intro, in case you're not familiar with Splunk, Splunk is a tool that allows ingestion of logs and other information, allowing you to cross correlate across more than one source and run queries on the data.

Think of this as a SIEM - but Splunk offers much more than this, but that's a good starting point to envisage what it can do.

ASSOCIATED BLOGS:

•  Splunk
• Cisco Catalyst Center Overview
• Cisco Catalyst Center Deployment

The Connected Device Audit Problem

Many businesses have a need to keep track of the devices connected to their networks. With many devices being mobile (connected on Wi-Fi) that move around a lot, or that users have the ability to plug a device into any wall outlet, the question of what is connected could change on a daily basis.

This audit needs to be dynamic: we need to poll the network and via various sources of information, correlate what’s connected.

Here’s where Splunk can help.

ASSOCIATED BLOGS:

• Thousand Eyes Managed Services
• Cisco SDA Architecture
  
  

Splunk Information Sources

Determining what devices are connected to your network is never quite as easy as it seems. There’s a lot of places you can pull data from:

• DHCP records: What devices have requested an IP Address
• Cisco Catalyst Center: If managing switching and wireless controllers, you can use Catalyst Center to export connected client details
• Switch Polling: Direct polling of the switch can show what’s connected – and using Cisco CDP you may be able to see what’s at the far end of any links
• Log Files: Log files produced by a range of network devices can be used to help determine when clients have connected or disconnected

Splunk can use all these information sources and after ingesting these, we can run queries. Those queries can be made accessible by use of dashboards or ITSI Glass Table views.

ASSOCIATED BLOGS:

• Meraki Site-Site VPN
• Meraki Managed Service
  

The Cisco Catalyst Center API

One of the most valuable sources of information for us in working out what’s connected is via Cisco Catalyst Center.

In the screenshot below, we can see the data we have available via the API – and the ability for us to search this data.

Since we’re connected to the API, this is live data – anything new gets plugged in and we can find it with a simple search for recently connected devices:

ASSOCIATED BLOGS:

• Cisco DNA Center Enablement
• xFSU - Extended Fast Upgrade

What if you don’t have API Access?

Although a lot less elegant, if no API access is available for ingesting live data, we can make use of data uploaded into Splunk.

This could be via a periodic export from an end system and import into Splunk.

In the example below, we are ingesting a sample export from Catalyst Center: you can see all the options for the Events that we might want to filter on, so can be quite granular in our search for those connected devices:

ASSOCIATED BLOGS:

• Cisco DNA Center Assurance
• 5 Ways DNA Center Solves your Challenges

How does Splunk Interconnect

We need to pull data from our sources and connect these into Splunk. Once our data is ingested, we can run our queries, but how do we get that data into Splunk in the first place?

To solve this problem we install a Splunk Forwarder. This is connected to our instance of Splunk and we then set the end devices to connect to it. This may be devices sending SNMP traps, netflow, logfiles and so on – or connected via an API.

The Forwarder then does the magic of connecting this inbound data to Splunk for us. A flexible and elegant solution.

 BLOGS:

• Cisco Spaces Introduction
• Cisco Spaces Applications

Data Dashboard

In the lab image from below, we can see the overview of the data.

This is an easy-to-use dashboard that’s taken data from an API and displayed it in a accessible format.

The data can now be filtered – we’ve put in a filter to view all Apple devices and the data below shows the specific detail on those:

BLOGS:

• Unleashing the Power of Cisco XDR
• Cisco Secure Access (SSE)

Splunk Next Steps

What are the next steps? Really that depends on what you want to extract from the data.

Adding some rules means we can extract data that meets those rules – this could be looking for suspicious devices for example:

• Tell me all the devices that have been connected via wired, but change port frequently
• Show me all the Wi-Fi devices that move between sites
• Examine if the same MAC address appears at the same time on two different switches

As for the visuals, Splunk has its Dashboard Studio to be able to generate ITSI Glass tables, such as the one shown below. This allows us to overlay our live data onto maps and other images, which makes this a really visually appealing option:

Image Courtesy of Splunk

BLOGS:

• Cisco Secure Network Analytics
• Workspace usage with Cisco Spaces

How Splunk Helps Businesses Discover Connected Devices: Summary

Thanks for taking the time to read our case study on how we have used Splunk to help a key customer visualise what’s connected to their network in real time.

This real-world use case shows a range of Splunk capabilities, but also how Splunk integrates with the business outcomes many companies have to deliver.

A key takeaway from this blog is that once we have the connections in place and are ingesting data, we can start to add more sources of data and make more correlations. There are multiple teams that could end up using the data and enriching that data makes it more useful.

If you’d like to chat over all things Splunk, or have any Splunk projects we could help you with, drop us a line at sales@iptel.com.au

ASSOCIATED BLOGS:

• Cisco Meraki Access Points
• Cisco Meraki Switching
• Meraki Made Simple