Solved

Finding IP through MAC table in switch?

Posted on 2004-09-30
11
662 Views
Last Modified: 2007-12-19
Need to track down a duplicate IP address conflict here at work. Someone statically assigned their PC, the same IP as my boss (as some of you recall in my previous post).  The problem is, the guy only turns his PC on certain times. So I'm never able to catch him.  I'm using look@lan to monitor events, but I'm not always at my desk.

Now, I have access to the switch.
How do I check for duplicate macs in the switch? (is there a way). I need to find out who it is.


Also, what do I do from there to further track him down?

Thanks
0
Comment
Question by:dissolved
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 100 total points
ID: 12189255
1.      switch#show ip arp 172.25.1.2 – This command gives the mac address of the machine whose IP address is 172.25.1.2

2.      Copy the mac address from the output of the above command.

3.      If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode.

4.      switch# show mac-address-table address xxxx.xxxx.xxxx  Execute the above command with the mac address found in step one.  The output of the above command will display to which port the workstation is connected.

5.      If you know the mac address of the machine you can directly telnet to the closet switch and execute the command in Step four.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 12189563
Try using the switchport mapper from SolarWinds (free 30-day eval), you'll love it. http://www.solarwinds.net
You enter the switch IP, snmp community, and the router's IP and snmp community. The application querries the switch for the MAC-address table, compares that to the arp table in the router, does nslookup/wins lookukp and viola' an excel spreadsheet of all mac-address, switchport, IP address, system name map. One you have it all mapped out, you know exactly where NOT to have to look, and that narrows the search considerably.

Else, you can use Kiwi's Cattools that has a mac address table builder
  http://www.kiwitools.com
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12189589
Or you can invest in CiscoWorks and use their User Tracking feature.
0
 

Author Comment

by:dissolved
ID: 12193291
thanks lrmoore for the link.
thanks netspec01 for the info

Netspec01, I noticed you said:

-"If you know which closet the workstation is connected to, telnet to the closet switch and get to the enable mode."
 
-"switch# show mac-address-table address xxxx.xxxx.xxxx  Execute the above command with the mac address found in step one.  The output of the above command will display to which port the workstation is connected."


We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are interconnected?
Thanks
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12193800
As long as they are Layer 2 switches I think you'll be able to see all of the mac addresses.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 100 total points
ID: 12195663
> We have 3 catalyst 2980G's all interconnected via fiber. Should all of their ARP tables be the same since they are
> interconnected?

The ARP table you want is probably at a router, not a switch.  The switch ARP tables are only going to list machines connecting to the switch management interface, and if your culprit shows up there, you've got bigger problems.

Each switch will have its own MAC table, and the culprit will probably show up in all three.  But on two of them, the entry will say "that MAC address is reached via this fiber port", and only on one will it say "that MAC address is on this Ethernet port".

I think the 2980G's probably support MAC-based VLANs.  When I need to lock out a user who I suspect will just try to move to another port (I work in a college, and thios happens all the time), I add their MAC address to a MAC-based VLAN that doesn't connect to anything.  So I can find the port they're on by VLAN, and it doesn't matter if they move.  Eventually they call the Call Center to find out why they can't connect....



0
 

Author Comment

by:dissolved
ID: 12195709
So you're saying, I can find the culprit's physical location (on the switch), by viewing the MAC table of each switch.  The switch that says "that MAC address is on this Ethernet port" will be the switch the culprit is located at.

Here's a stupid question.  Why does a router have a MAC table?  I know the purpose behind MAC tables etc...  Sorry, brainfart right now

Also,what should I look for once I'm in the router to find the culprit
Thanks

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12196662
>Why does a router have a MAC table?
It's an ARP table with the MAC address to IP address mapping.
The switch table holds the MAC to switchport mapping, but not the IP address
To put it all together I have not found anything easier or quicker than the Solarwinds switchport mapper..
0
 
LVL 2

Expert Comment

by:peteysa
ID: 12197544
Hey All,

The ever fun game of tracking down a server port location..

Here is a quick dump for speedy f|indings

if you know the IP and need to find the location.
ping IP  makes sure there is arp cache and mac-address / cam entries


router>  sh arp | include xxx.xxx.xxx.xxx
outputs the mac address in xxxx.xxxx.xxxx
access coreswitch
switch>  sh mac-address-table | include last4ofthemac
out put will be the the ports that match the last
from there you should have your ports labeled to know if the port the mac address is associated with is the end point or if it is another switch.  if it is another switch and you dont know which one you can do a show cdp neighbors port to find out which switch is the next layer 2 hop.

Thanks for the info on switch port mapper i will have to check it out soon.

Dan
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12199673
PennGwyn is correct in saying that routers/L3 switches have ARP tables (IP address to mac address mappings).  Layer 2 switches have an ARP table for the management interface.

Switches have mac address tables since they have to collect and maintain all layer 2 addresses that hit any port to build their "bridging" tables.  

If switches are configured to use the native VLAN (VLAN 1) for management and user traffic, is there an ARP entry for all L3 devices traversing the switch?  I can't test this out at the moment since our management VLAN is VLAN 10.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12200381
Of course, any L3 switch is the best of both because it holds both the MAC address/port table as well as the MAC-IP address ARP cache....
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now