[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

Traffic Monitoring/Port Usage for Dell 6200 Switch

Hi,

I have a Dell 6200 switch that does most of my internal switch & routing needs.  I'm sure there must be some kind of traffic monitor in the thing, but I don't seem to find it.

I've got a machine on the network someplace that's spitting out some garbage (not errors, just junk, Pings, etc.), and short of disconnecting groups of ports at a time and seeing when the junk stops, how can I find out which port the guilty party is connected to?

The IP is in the DHCP range and is likely to be anywhere.  I'm just looking to find out which port has x.x.x.100 on it.  The NSLookup name is garbage.

Can this be done & how?

-g
0
OuttaCyTE
Asked:
OuttaCyTE
  • 9
  • 5
1 Solution
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Not exactly sure whether the 6200 supports this, but:

- get the MAC address of the host in question ("arp -a")
- log in on the switch and issue the command "show bridge address-table" and look for the address.
- alternatively, it might be called "show mac-address-table"

Either command will list the port the MAC address was learned from.
0
 
OuttaCyTEAuthor Commented:
Thanks for the reply.

I logged into my machine which is on the same network segment as the offender and did an arp -a on it.  Nothing showed.  Pinged the machine (it doesn't answer) and did the arp-a again.  The entry was there.  I looked in the Switching|Address Tables|dynamic Address Table and found the MAC address 5 times - each one listed to an vlan identifier (not a port address like the others in the table).  I looked up the prefix and 00:1E:C9 is a dell prefix.  I thought it might be related to the VM as I have Dell servers.  But no, they are different MAC addresses.

I then went back to my command line and noticed that the arp -a showed a total of 4 IP addresses all with the same MAC address.  x.x.x.5, .100, .103, & .107.  I did a ping on all of them thinking it would refresh the data.  Nope.  Even got another @ .7.

The .5 is my Dell 6200.  The .7 is a VMWare host and this is disturbing because I went to the VMWare host and checked.  That MAC address isn't on any of the four NICs in the machine. .107 is a Guest on that VMWare host and it's Virtual NIC isn't that MAC either.  .103 is a machine I know about and it's nowhere near the VMHost or servers.  .100 is my strange unknown.

The only common point for all of them is the Dell 6200 switch.

I was under the impression that there should never be a duplicate MAC ever, especially on the same subnet.  Am I wrong?

Now I'm even more confuselled :) than originally!

-greg
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Is there a firewall in between? Or some other box doing proxy arp, like an access point? (though I don't know of any APs or firewalls produced by Dell)
A MAC address can show up multiple times on different VLANs, but normally (unless manually configured), only from the same device ... in most cases, it will be a firewall that does NAT, claiming to be the IP on the same subnet (as it has to, to make the NATed IP reachable in the same broadcast domain). Did you configure the switch for any Layer 3 features?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
OuttaCyTEAuthor Commented:
Garry,

I've determined it must be the Dell 6200 - I unplugged everything, one at a time, and except when I unplugged myself and couldn't see anything, the pings continued.  Set of three, all in the same second, repeated every 3 to 5 seconds.  Yes, we have layer 3 functionality enabled and in use on this switch however it's not NATting anthing - just routing & ACL.  It is running a DHCP relay to our server.  No firewall or proxy or access points.

I have considered plugging in another machine on one of the Watchguard ports and watch the log from there and then unplug everything from the Dell except the connection to the Watchguard.  That's kinda a pain though so I haven't done it.

I'm wondering if the Dell has some sort of keep alive or connection checking going on that it might have picked up a DHCP address for and is using that?  It is pinging the inside address of our outward firewall.  The MAC display on the switch does show the MAC address associated with the vlans (all 5 of them) and not a specific port so it's the same device (the Dell 6200) and not anywhere else.  

If it had only been the Dell showing this MAC address I'd be cool with that (it is, after all, the same device).  My confusion came when I did the arp -a and got the same mac address associated with some machines internal to the network that have absolutely nothing to do with the Dell (except it being on the same subnet).  That is the .7, .103, .107 addresses mentioned earlier.  Why they showed the MAC address that I'm associating with the Dell 6200 I have no idea.  I have investigated each of them and they have their own MAC address so why did my arp -a show the Dell?

Humm, I wonder (thinking out loud here) if the Dell is saying "I know how to get to .7, .103, .107, so send them to me at this MAC address...  I've had an issue in the past where the Dell would grab "stuff" going to a machine that it thought it could reach but, in fact, could not.  I wonder if this is a symptom of that except it can, actually, reach them...  Any thoughts on that?  I'm going to Google on that idea some.

-greg
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
I can't really think of any reason at the moment why a L2 device (or even a router) should reply to ARP requests of other boxes' IPs. After all, MAC addresses are only of use on L2, and forwarding a packet on L2 is a lot more efficient than doing the same on L3. Plus, if the device did actually do that proxy ARP, why only for certain IPs? As I said before, only NAT, or some twisted bridiging  where the bridge endpoints are too stupid (or with too little memory) to publish and learn all of the remote's MAC addresses and instead just publish their own ...
0
 
OuttaCyTEAuthor Commented:
Garry,

I've posted a question on the Dell Network Switches forum and let's see what they have to say.  The post is at:

http://en.community.dell.com/support-forums/network-switches/f/866/p/19411610/19967263.aspx

Thanks, I'll update with info as I get it.
-greg
0
 
OuttaCyTEAuthor Commented:
Garry, et. al.,

Based upon your phrase "Proxy ARP" above, I recalled there being some Proxy Arp settings in the switch.  So I set "Local Proxy Arp" to disable then cleared my arp table on my personal machine, pinged all of the machines again and nothing except x.x.x.5 (the switch) had the MAC address.

That brings up the question, What is "Proxy Arp" vs "Local Proxy Arp"?  Googling hasn't yielded much and the config guide says nothing.  I asked this followup in the above mentioned thread.

Still have the pings...

-greg
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Reading up on this, it seems the local proxy arp is used to optimize L3 routing on switches - by using proxy arp, the switch is able to not route, but rather use L2 mechanisms to forward between different VLANs instead of "real" routing ... so there actually is a point in doing this ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
So I reckon the packets you see originating from the switch might be some sort of keepalive/monitoring to ensure the proxy-arp'ed destinations are still there ...
0
 
OuttaCyTEAuthor Commented:
Garry,

The question is still new on the Dell forum, but yeah, I can see an ARP proxy helping facilitate movement through the switch from subnet/vlan to subnet/vlan.

What I didn't like is that it was publishing arp info for destinations on the same subnet/vlan when it should keep that info to itself.  I think that's the difference between local proxy arp and proxy arp.  The switch, by publishing it's MAC address for an IP that is directly reachable to the subnet/vlan in which the the NIC is reachable interposes the switch when the Ethernet L2 transport would otherwise go directly.  When is that ever a good idea?

I disabled local proxy arp, but left regular proxy arp enabled.

We'll see what the Dell forum comes up with.

Thanks for your interest in this question.
-greg
0
 
OuttaCyTEAuthor Commented:
Well, I must say I'm disappointed @ Dell for not answering the question.  I've had some others, but nothing from anybody that has something approaching a definitive answer.  Seems like others have asked this question but they haven't gotten answers either.

Perhaps Dell doesn't know?

-greg
0
 
OuttaCyTEAuthor Commented:
I've requested that this question be deleted for the following reason:

Such answer as there was
0
 
OuttaCyTEAuthor Commented:
I meant to cancel the cancel.  That's why it has funkiness.

What I really want to do is accept for no points that turning off local-proxy-arp seemed to resolve the issue.

Dell never did respond so no information about why or wherefore.

-g
0
 
OuttaCyTEAuthor Commented:
What I really want to do is accept for no points that turning off local-proxy-arp seemed to resolve the issue.

Dell never did respond so no information about why or wherefore.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now