dissolved
asked on
Finding IP through MAC table in switch?
Need to track down a duplicate IP address conflict here at work. Someone statically assigned their PC, the same IP as my boss (as some of you recall in my previous post). The problem is, the guy only turns his PC on certain times. So I'm never able to catch him. I'm using look@lan to monitor events, but I'm not always at my desk.
Now, I have access to the switch.
How do I check for duplicate macs in the switch? (is there a way). I need to find out who it is.
Also, what do I do from there to further track him down?
Thanks
Now, I have access to the switch.
How do I check for duplicate macs in the switch? (is there a way). I need to find out who it is.
Also, what do I do from there to further track him down?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or you can invest in CiscoWorks and use their User Tracking feature.
ASKER
thanks lrmoore for the link.
thanks netspec01 for the info
Netspec01, I noticed you said:
-"If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode."
-"switch# show mac-address-table address xxxx.xxxx.xxxx Execute the above command with the mac address found in step one. The output of the above command will display to which port the workstation is connected."
We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are interconnected?
Thanks
thanks netspec01 for the info
Netspec01, I noticed you said:
-"If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode."
-"switch# show mac-address-table address xxxx.xxxx.xxxx Execute the above command with the mac address found in step one. The output of the above command will display to which port the workstation is connected."
We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are interconnected?
Thanks
As long as they are Layer 2 switches I think you'll be able to see all of the mac addresses.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So you're saying, I can find the culprit's physical location (on the switch), by viewing the MAC table of each switch. The switch that says "that MAC address is on this Ethernet port" will be the switch the culprit is located at.
Here's a stupid question. Why does a router have a MAC table? I know the purpose behind MAC tables etc... Sorry, brainfart right now
Also,what should I look for once I'm in the router to find the culprit
Thanks
Here's a stupid question. Why does a router have a MAC table? I know the purpose behind MAC tables etc... Sorry, brainfart right now
Also,what should I look for once I'm in the router to find the culprit
Thanks
>Why does a router have a MAC table?
It's an ARP table with the MAC address to IP address mapping.
The switch table holds the MAC to switchport mapping, but not the IP address
To put it all together I have not found anything easier or quicker than the Solarwinds switchport mapper..
It's an ARP table with the MAC address to IP address mapping.
The switch table holds the MAC to switchport mapping, but not the IP address
To put it all together I have not found anything easier or quicker than the Solarwinds switchport mapper..
Hey All,
The ever fun game of tracking down a server port location..
Here is a quick dump for speedy f|indings
if you know the IP and need to find the location.
ping IP makes sure there is arp cache and mac-address / cam entries
router> sh arp | include xxx.xxx.xxx.xxx
outputs the mac address in xxxx.xxxx.xxxx
access coreswitch
switch> sh mac-address-table | include last4ofthemac
out put will be the the ports that match the last
from there you should have your ports labeled to know if the port the mac address is associated with is the end point or if it is another switch. if it is another switch and you dont know which one you can do a show cdp neighbors port to find out which switch is the next layer 2 hop.
Thanks for the info on switch port mapper i will have to check it out soon.
Dan
The ever fun game of tracking down a server port location..
Here is a quick dump for speedy f|indings
if you know the IP and need to find the location.
ping IP makes sure there is arp cache and mac-address / cam entries
router> sh arp | include xxx.xxx.xxx.xxx
outputs the mac address in xxxx.xxxx.xxxx
access coreswitch
switch> sh mac-address-table | include last4ofthemac
out put will be the the ports that match the last
from there you should have your ports labeled to know if the port the mac address is associated with is the end point or if it is another switch. if it is another switch and you dont know which one you can do a show cdp neighbors port to find out which switch is the next layer 2 hop.
Thanks for the info on switch port mapper i will have to check it out soon.
Dan
PennGwyn is correct in saying that routers/L3 switches have ARP tables (IP address to mac address mappings). Layer 2 switches have an ARP table for the management interface.
Switches have mac address tables since they have to collect and maintain all layer 2 addresses that hit any port to build their "bridging" tables.
If switches are configured to use the native VLAN (VLAN 1) for management and user traffic, is there an ARP entry for all L3 devices traversing the switch? I can't test this out at the moment since our management VLAN is VLAN 10.
Switches have mac address tables since they have to collect and maintain all layer 2 addresses that hit any port to build their "bridging" tables.
If switches are configured to use the native VLAN (VLAN 1) for management and user traffic, is there an ARP entry for all L3 devices traversing the switch? I can't test this out at the moment since our management VLAN is VLAN 10.
Of course, any L3 switch is the best of both because it holds both the MAC address/port table as well as the MAC-IP address ARP cache....