ARP alerting tool

MikeM-2468 · ‎01-16-2013

I thought it would be easy to find a tool that would monitor my Windows DHCP server database and alert on leases to new MAC addresses. I'm finding that not so easy. As I thought about it, I thought it might be better to focus on reading the ARP table in my 6509 switch. Are there any tools that will allow this? Is ARP a better option?

John Blakley · ‎01-17-2013

I don't believe watching the arp table is going to be the way to go here. You won't be able to differentiate from dhcp assigned addresses vs statically assigned addresses that just happened to be configured without you knowing. Then there's the whole cross referencing if you were to get an alert with the dhcp server to see if it assigned it, and if not, then you just have to track it down.

I'd suggest possibly configuring dhcp snooping and then watch that database instead. Technically, you could create an eem script to watch the database for new additions/removals and send an email based on what you see in the database. I don't have a script to do this, but I could see it being able to be done.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

MikeM-2468 · ‎01-17-2013

The "without you knowing" is the whole point. I need to account for static IPs too. I need to know any device that plugs into the network.

John Blakley · ‎01-17-2013

If you don't mind getting everything that gets placed into the arp table, then an eem or tcl script is the best way to go because they live on the switch and run in the background.

There may be some premade scripts that you could use, but your switch has to have an IOS that supports eem. (Embedded Event Manager.)

https://supportforums.cisco.com/community/netpro/network-infrastructure/eem?view=all#/?tagSet=undefined

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***