Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

Rogue computer on network (again)

Ok, I have the MAC address of a rogue computer on the network. I went into my switch to find its physical location. This is what it said :


2980_21:       sh cam 00-0F-1F-16-D2-3A
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-0f-1f-16-d2-3a             3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21


What does the 3/33 mean and how can I find the physical location of this port on my switch? (We have 3 switches here)
Thanks

0
dissolved
Asked:
dissolved
  • 3
  • 3
2 Solutions
 
JimmmboCommented:
Hi

What switch hardware are you using? Is the switch modular? In that case it means port 33 in slot 3. Or are you using a stacked switch? Then it is port 33 in switch 3.

Regards Jimmy


0
 
dissolvedAuthor Commented:
Sorry for the dumb question. But what is a modular switch and what is a stacked switch?   We have l 2 switches for every floor. They are 2980g or 2948 switches.   I'm not sure which one he is plugged into..... (i'm a newb)
Thanks
0
 
Dr-IPCommented:
What I would do is a " show cdp neighbors" to make sure that that port isn't connected to another Cisco switch, or router, and if nothing showed up on the list as being connected to that port, I'd shut it down and wait for the inevitable call to come about the network being down in some ones office.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
dissolvedAuthor Commented:
Switch 1 (1st floor)
-1st floor users plug into this switch

Switch  2 (2nd floor)
-2nd floor users plug into this switch

Switch  3 (3rd floor)
-3rd floor users plug into this switch

Core switch (basement)

Switch 1, 2, and 3 are all connected to the core switch (via fiber).  
The rogue PC is plugged into one of the switches. Which, I dont know


I did a sh cdp neighbors and it showed:
<b>
dhsscat2980_21 sh cdp neighbors
* - indicates vlan mismatch.
# - indicates duplex mismatch.
Port     Device-ID                       Port-ID                   Platform
-------- ------------------------------- ------------------------- ------------
 3/33    JAB0508074P(DPHCAT4000)         3/1                       WS-C4006
dhsscat2980_21</b>


and when I do a sh cam  rogue_mac_address

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-0f-1f-16-d2-3a             3/33 [ALL]
Total Matching CAM Entries Displayed = 1
dhsscat2980_21




Why is it showing them on the same port?
0
 
Dr-IPCommented:
This is how you trace it through mutiple switchs.

<starting switch>

6509> (enable) sh cam 00-E0-18-05-A9-9E
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
1     00-e0-18-05-a9-9e             5/7 [ALL]
Total Matching CAM Entries Displayed = 1

<now I know it's on this port so I will check to see if it's connected to another switch>

6509> (enable) sh cdp neighbors 5/7 detail
Port (Our Port): 5/7
Device-ID: office
Device Addresses:
  IP Address: 10.10.2.249
Holdtime: 174 sec
Capabilities: TRANSPARENT_BRIDGE SWITCH
Version:
  Cisco Internetwork Operating System Software
  IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE
INTERIM SOFTWARE
  Copyright (c) 1986-1999 by cisco Systems, Inc.
  Compiled Fri 10-Dec-99 11:16 by cchang
Platform: cisco WS-C3548-XL
Port-ID (Port on Neighbors's Device): GigabitEthernet0/2
VTP Management Domain: Terra
Native VLAN: unknown
Duplex: full

<now you have the IP address of the next switch to check>

Just keep following this procedure until you get to the switch where there isn’t another switch on the end of the port and you have found them.
0
 
dissolvedAuthor Commented:
Finally it makes sense. what was happening, is that I kept tracing the MAC back to the core switch.  I would stop there. But I decidedto go into the core switch and did the sh cam rogue_mac.  It directed me to the ACTUAL switch the user was on

I then telnetted to the actual switch and did a sh cam and it worked.

 I was running around in circles for hours.  Ironically, the rogue computer went offline 10 minutes before I figured out (with your help) to do all of this stuff. :sigh:

Thanks a lot though!  I'm definitely going to get them next time. Set an SNMP trap :)
Thanks!
0
 
Dr-IPCommented:
Now you know what port they are on, you should be able to trace it down to the physical location that they are connecting to the network at. Hopefully your wiring is documented, or else you will have to physically trace the wire coming from that port to the jack, which in a large building can be a real hassle, but once you find that out, when they reappear, you can be standing behind them so fast they won’t have a clue as to how you found them so quickly. By the way, when you have a core switch, it’s the best place to start tracing someone down since everything is connected there.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now