Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

Finding IP through MAC table in switch?

Need to track down a duplicate IP address conflict here at work. Someone statically assigned their PC, the same IP as my boss (as some of you recall in my previous post).  The problem is, the guy only turns his PC on certain times. So I'm never able to catch him.  I'm using look@lan to monitor events, but I'm not always at my desk.

Now, I have access to the switch.
How do I check for duplicate macs in the switch? (is there a way). I need to find out who it is.


Also, what do I do from there to further track him down?

Thanks
0
dissolved
Asked:
dissolved
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
netspec01Commented:
1.      switch#show ip arp 172.25.1.2 – This command gives the mac address of the machine whose IP address is 172.25.1.2

2.      Copy the mac address from the output of the above command.

3.      If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode.

4.      switch# show mac-address-table address xxxx.xxxx.xxxx  Execute the above command with the mac address found in step one.  The output of the above command will display to which port the workstation is connected.

5.      If you know the mac address of the machine you can directly telnet to the closet switch and execute the command in Step four.
0
 
lrmooreCommented:
Try using the switchport mapper from SolarWinds (free 30-day eval), you'll love it. http://www.solarwinds.net
You enter the switch IP, snmp community, and the router's IP and snmp community. The application querries the switch for the MAC-address table, compares that to the arp table in the router, does nslookup/wins lookukp and viola' an excel spreadsheet of all mac-address, switchport, IP address, system name map. One you have it all mapped out, you know exactly where NOT to have to look, and that narrows the search considerably.

Else, you can use Kiwi's Cattools that has a mac address table builder
  http://www.kiwitools.com
0
 
netspec01Commented:
Or you can invest in CiscoWorks and use their User Tracking feature.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
dissolvedAuthor Commented:
thanks lrmoore for the link.
thanks netspec01 for the info

Netspec01, I noticed you said:

-"If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode."
 
-"switch# show mac-address-table address xxxx.xxxx.xxxx  Execute the above command with the mac address found in step one.  The output of the above command will display to which port the workstation is connected."


We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are interconnected?
Thanks
0
 
netspec01Commented:
As long as they are Layer 2 switches I think you'll be able to see all of the mac addresses.
0
 
PennGwynCommented:
> We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are
> interconnected?

The ARP table you want is probably at a router, not a switch.  The switch ARP tables are only going to list machines connecting to the switch management interface, and if your culprit shows up there, you've got bigger problems.

Each switch will have its own MAC table, and the culprit will probably show up in all three.  But on two of them, the entry will say "that MAC address is reached via this fiber port", and only on one will it say "that MAC address is on this Ethernet port".

I think the 2980G's probably support MAC-based VLANs.  When I need to lock out a user who I suspect will just try to move to another port (I work in a college, and thios happens all the time), I add their MAC address to a MAC-based VLAN that doesn't connect to anything.  So I can find the port they're on by VLAN, and it doesn't matter if they move.  Eventually they call the Call Center to find out why they can't connect....



0
 
dissolvedAuthor Commented:
So you're saying, I can find the culprit's physical location (on the switch), by viewing the MAC table of each switch.  The switch that says "that MAC address is on this Ethernet port" will be the switch the culprit is located at.

Here's a stupid question.  Why does a router have a MAC table?  I know the purpose behind MAC tables etc...  Sorry, brainfart right now

Also,what should I look for once I'm in the router to find the culprit
Thanks

0
 
lrmooreCommented:
>Why does a router have a MAC table?
It's an ARP table with the MAC address to IP address mapping.
The switch table holds the MAC to switchport mapping, but not the IP address
To put it all together I have not found anything easier or quicker than the Solarwinds switchport mapper..
0
 
peteysaCommented:
Hey All,

The ever fun game of tracking down a server port location..

Here is a quick dump for speedy f|indings

if you know the IP and need to find the location.
ping IP  makes sure there is arp cache and mac-address / cam entries


router>  sh arp | include xxx.xxx.xxx.xxx
outputs the mac address in xxxx.xxxx.xxxx
access coreswitch
switch>  sh mac-address-table | include last4ofthemac
out put will be the the ports that match the last
from there you should have your ports labeled to know if the port the mac address is associated with is the end point or if it is another switch.  if it is another switch and you dont know which one you can do a show cdp neighbors port to find out which switch is the next layer 2 hop.

Thanks for the info on switch port mapper i will have to check it out soon.

Dan
0
 
netspec01Commented:
PennGwyn is correct in saying that routers/L3 switches have ARP tables (IP address to mac address mappings).  Layer 2 switches have an ARP table for the management interface.

Switches have mac address tables since they have to collect and maintain all layer 2 addresses that hit any port to build their "bridging" tables.  

If switches are configured to use the native VLAN (VLAN 1) for management and user traffic, is there an ARP entry for all L3 devices traversing the switch?  I can't test this out at the moment since our management VLAN is VLAN 10.


0
 
lrmooreCommented:
Of course, any L3 switch is the best of both because it holds both the MAC address/port table as well as the MAC-IP address ARP cache....
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now