Mr. Be@n
asked on
Find IP address with Mac -Urgent
Hey guys,
I am dealing with a client that has been down all yesterday as well as today with conflicting IP addresses. I worked with Microsoft and they were able to find the mac address of another device that was giving out DHCP. I have tried arp on various servers and could not find that mac even after pinging the broadcast address. I have tried this command: show ip arp vlan (vlan number) | include (mac address) and all that it can really tell me is what the originating port is. This lead me to two HP switches which also have the mac address but that list the trunk port as the originating source. I am getting absolutely no where with finding this. Please help!!!!
I am dealing with a client that has been down all yesterday as well as today with conflicting IP addresses. I worked with Microsoft and they were able to find the mac address of another device that was giving out DHCP. I have tried arp on various servers and could not find that mac even after pinging the broadcast address. I have tried this command: show ip arp vlan (vlan number) | include (mac address) and all that it can really tell me is what the originating port is. This lead me to two HP switches which also have the mac address but that list the trunk port as the originating source. I am getting absolutely no where with finding this. Please help!!!!
If your just looking for a mac you should be able to locate it using your managed switches. I don;t know what the command is on HP switches but on Cisco switches i would use mac add add xxx.xxx.xxx to find out what interface is associated to that mac. You may have to travel through a few switches and repeat the process a few times but you'll find it
If it lists a trunk as the originating port, then you need to check the switch that is connected to you over that trunk port for the mac address.
You have to follow the trace through the trunk interface to the uplink switch.. end then check from there ... until you end up with a machine.
It might help to get the first 3 bytes through the following: http://coffer.com/mac_find/
The might help identify the device it is coming from.
on switches the command show mac or show cam should be used to find where mac addresses have been seen.
It might help to get the first 3 bytes through the following: http://coffer.com/mac_find/
The might help identify the device it is coming from.
on switches the command show mac or show cam should be used to find where mac addresses have been seen.
What is connected to the trunk? The other of those 2 switches?
What you did is exactly what you can do if you only have a MAC address - try to find out the switch port the MAC address is registered on. The only other clue might come from the manufacturer part of the MAC.
You also need to remind which kind of devices/OS can act as a DHCP server: Linux machines, routers, L3 switches, Windows Server machines.
Having said that, since you can do arp you know the IP address of the DHCP server, and should be able to ping -a that to get a host name which will hopefully tell more.
What you did is exactly what you can do if you only have a MAC address - try to find out the switch port the MAC address is registered on. The only other clue might come from the manufacturer part of the MAC.
You also need to remind which kind of devices/OS can act as a DHCP server: Linux machines, routers, L3 switches, Windows Server machines.
Having said that, since you can do arp you know the IP address of the DHCP server, and should be able to ping -a that to get a host name which will hopefully tell more.
ASKER
Thanks guys,
I can definitely tell that this is a Cisco device by the OUID. I was able to get a ticket in with Cisco. I'll let you guys know how it goes
I can definitely tell that this is a Cisco device by the OUID. I was able to get a ticket in with Cisco. I'll let you guys know how it goes
HP-Switch-1# ping 192.168.251.2
192.168.251.2 is alive, time = 3 ms
Then look for it in the ARP cache;
HP-Switch-1# show arp
IP ARP table
IP Address MAC Address Type Port
--------------- ----------------- ------- ----
192.168.251.1 e8b748-c757b0 dynamic 13
192.168.251.2 005056-a61c1c dynamic 5 << It’s on port 5
192.168.251.5 005056-a606d9 dynamic 7
Or if you already know its MAC address;
HP-Switch-1# show mac-address 005056-a61c1c
Status and Counters - Address Table - 005056-a61c1c
Port
-------
5
192.168.251.2 is alive, time = 3 ms
Then look for it in the ARP cache;
HP-Switch-1# show arp
IP ARP table
IP Address MAC Address Type Port
--------------- ----------------- ------- ----
192.168.251.1 e8b748-c757b0 dynamic 13
192.168.251.2 005056-a61c1c dynamic 5 << It’s on port 5
192.168.251.5 005056-a606d9 dynamic 7
Or if you already know its MAC address;
HP-Switch-1# show mac-address 005056-a61c1c
Status and Counters - Address Table - 005056-a61c1c
Port
-------
5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you're sure there are no dhcp-helpers aka dhcp-relay on any router? (dhcp-proxies..)
ASKER
No, the only DHCP helper address configuration that I could find on any of their devices was pointing to the Windows Server DHCP, the one that they are supposed to be getting it from. Even if that is the case and blocking that MAC did break something, it is still better than what they had before.
You probably still need to find the rogue DHCP server as it will continue to obstruct when it either gets adjusted or it might restart breaking stuff when the arp entry gets lost sometime.
Good luck with finding it.
Good luck with finding it.
ASKER
Yes that is ideal, it's kind of like finding a needle in a haystack at this point.
ASKER
This solved it.