02-04-2010 12:17 PM - edited 03-04-2019 07:24 AM
Hi, imagine someone reports that in company network management alarm shows a certain machine which broadcasts to bootp and only info available is MAC-address.
Anyone has any good methodology on how to track and find a node given only the MAC-address info?
Solved! Go to Solution.
02-04-2010 02:29 PM
Hello Marlon,
is DHCP service enabled in vlan3 or not?
if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.
Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds
check also with
sh ip arp | inc 0015.211c.1e89
on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.
Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)
http://standards.ieee.org/regauth/oui/index.shtml
by inserting the OUI in format HH-HH-HH or simply HHHHHH
that is 001521 in your case we get:
00-15-21 (hex) Horoquartz
001521 (base 16) Horoquartz
BP 251
FONTENAY LE COMTE VENDEE 85205
FRANCE
looking for the web page of this company, you can discover they sell also badge readers for access control.
Well it is also possible that some device has a fake MAC address and it using this OUI.
Or someone has installed a device from that company
Hope to help
Giuseppe
02-04-2010 12:51 PM
02-04-2010 12:51 PM
Hello Marlon,
the best way is to start from the distribution/core switches of the campus network
Edit:
step0 if starting from an IP address
telnet to default gateway of given IP address A.A.A.A
sh ip arp | inc A.A.A.A
using
step1
sh mac address-table address HHHH.HHHH.HHHH
OR
sh mac-address-table address HHHH.HHHH.HHHH
( IOS release dependent)
catOS
sh cam HH-HH-HH-HH-HH-HH
you can find out the interface on which the mac address has been learned
step2
if CDP is enabled you can find out what access switch the MAC address is learned from
sh cdp n typex/y
sh cdp n x/y (catos)
step3
telnet to that switch and repeat step1
do this until you find an access port where the device is located.
if CDP is not enabled you should look at sh run interface typex/y and to look at description to see what switch is on that port on core/distribution switch.
this method works well.
Hope to help
Giuseppe
02-04-2010 02:09 PM
mysite-suc-gw1#show mac-address-table address 0015.211c.1e89
mysite-suc-gw1#
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
3 0015.211c.1e89 dynamic ip FastEthernet3/2
mysite-suc-gw1#show cdp neig f3/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
mysite-suc-sw.c Fas 3/2 121 S I WS-C2960- Gig 0/1
mysite-suc-gw1#
Observation:I have 2 other 2960 switches connected via trunk to such mysite-suc-sw with all ports also on vlan3.
I did 'show mac-address-table' and 'show arp' on them and I see no MAC 0015 there though.
mysite-suc-sw#show mac address-table address 0015.211c.1e89
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
3 0015.211c.1e89 DYNAMIC Gi0/2
Total Mac Addresses for this criterion: 1
So this points to the secondary layer 3 switch which is doing route. If I repeat the process, I will go back to seeing the MAC learned from mysite-suc-sw port f3/2.
mysite-suc-sw#show cdp neig g0/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
mysite-suc-gw2.c Gig 0/2 166 R S I WS-C4507R Fas 3/2
So at this point I still can't see the switchport the broadcast MAC is coming from. Any idea what I am missing? I imagine the MAC address could be learned via the other (2) 2960 connected to mysite-suc-sw, but again I did show-mac-address and show arp for every switch and I still don't see the access port listed there.
02-04-2010 02:29 PM
Hello Marlon,
is DHCP service enabled in vlan3 or not?
if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.
Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds
check also with
sh ip arp | inc 0015.211c.1e89
on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.
Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)
http://standards.ieee.org/regauth/oui/index.shtml
by inserting the OUI in format HH-HH-HH or simply HHHHHH
that is 001521 in your case we get:
00-15-21 (hex) Horoquartz
001521 (base 16) Horoquartz
BP 251
FONTENAY LE COMTE VENDEE 85205
FRANCE
looking for the web page of this company, you can discover they sell also badge readers for access control.
Well it is also possible that some device has a fake MAC address and it using this OUI.
Or someone has installed a device from that company
Hope to help
Giuseppe
02-04-2010 02:38 PM
Hey, thanks for all this info.
Yes, I see that on both layer 3 4507's, under int vlan 3 SVI I do have ip-helper configured correctly.
I did 'sh ip arp | inc 0015.211c.1e89' on both 4507's and I got nothing. So yes, it is known that devices are rebooting in a loop because there are lots of bootp messages on the monitoring tool.
So it seems from here I will ask the techies to search for that model of device possibly rebooting because it seems I can't do more than this.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide