On a router, any way to tell if clients have not connected in a month?

ciscomdsmagic · ‎03-12-2022

I am seeking a way to tell what are these servers ( mainly Linux ) have not connected the network in a month from a router point of view? Could arp achieve that?

Thanks!

Leo Laohoo · ‎03-12-2022

@ciscomdsmagic wrote:

Could arp achieve that?

ARP, by default, only stays in the router database for two minutes.

What, pray, are you trying to accomplish?

Richard Burts · ‎03-13-2022

In my experience with IOS routers when the router is about to time out an arp entry it will send an arp request to the device, and if it receives a response will generate a new entry in the arp table. So I do not see how arp would be helpful in detecting devices that have not been active for a month.

HTH

Rick

ciscomdsmagic · ‎03-13-2022

The purpose is to find out what are these servers / VM’s may not exist and target to decommission.

if not arp, any other solutions?

Richard Burts · ‎03-13-2022

In the original post you asked about finding servers that have not connected in a month. In the recent response you say you want to find servers/VMs that do not exist, which is a slightly different thing. The content of the arp table can tell you what is currently active/connected in the network. But it would not provide any information about what was currently active an hour ago, or a day ago, or a month ago.

It seems to me that part of what makes this difficult is how do you know what has been active in the past but is not active at the present moment? And how do you distinguish between some device that truly has been removed from a device that happens to be off line (perhaps powered down over night and not yet powered up, etc)?

HTH

Rick

Leo Laohoo · ‎03-13-2022

@ciscomdsmagic wrote:

VM’s may not exist and target to decommission.

Depends on the size of the network/organization.

If the server team has a list of their assets, then they can easily tell the status of each of the "servers".

If the network/organization is very small, do the "scream test". Turn off the port and wait for someone to scream.

JimWicks · ‎03-14-2022

If you have a radius-server in your environment (ISE, for example) and you Linux devices are allocated their address via DHCP, then DHCP accounting might do the trick for you.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-16-10/dhcp-xe-16-10-book/dhcp-accting-sec-xe.html#GUID-C5FA2D0B-0F9E-4074-A1C2-1503B7D16002

If no DHCP then enable Netflow on the switches to see which devices are sending traffic over a given time-period, if the devices are statically addressed, then any "gaps" in the active-senders list will highlight the missing devices.

Lastly, then you could configure your access ports with MAB (Mac-Authentication-Bypass) and define your rules in the Radius-server to send an access-accept in all cases. That will allow you to see accounting start/stop messages as devices come and go on your the devices and a quick bit of scripting on the logs will tell you what has been active over a given time-period. The issue here is that if you have got a lot of devices in your topology, it's a big change to enact on your network.