how to track down where a device is coming from?

lwillmann · ‎10-15-2015

I have a Cisco 3560 PoE switch that is used as my core switch at this location. It serves as the DHCP server for two VLANs, one for data, one for voice.

Currently, our data network is a single subnet, and is a mix of static and DHCP clients. The static IPs are somewhat spread out in blocks of similar devices. I realize that this is not the ideal configuration and I'd like to change that to make it better but I have a larger issue at the moment.

Based on how the switch is currently configured, I believe I have approximately 71 DHCP addresses available for the data VLAN. However we started running into problem when we had 50 DHCP clients on the network (phones, laptops, desktops, etc). Some of them were hard wired but the majority were wireless. The problem I had was that clients were unable to get IPs from the DHCP pool for some reason, so I got to digging.

I ran a "show ip dhcp binding" command and see a device(s) that have strange MAC addresses, this device(s) is eating 10 IPs in my DHCP pool.

By strange MAC address, here's what I mean. EVERY other device in the binding table has a MAC in this format: 01xx.xxxx.xxxx.xx (I have figured out that the leading 01 is something that the switch puts there, and the rest of that is the actual MAC). However this device has a MAC address in this format in the table 01xx.xxxx.xxxx.xxxx.xxxx.xxxx.0000.xxxx.xx. That same format shows up a total of 10 times, and where I have the 0000 the MAC number increases by 1 up to 0009.

I have run numerous MAC searches online to determine what type of device it is, but the MAC address showing on the switch doesn't show up in any of the online search tools that I've used.

I thought that I might try to find what port the device is communicating through, so I ran the command "show mac-address-table", but that MAC is not listed in the table. So I signed in to all of our other switches (one other 3560, and 4 Dell PowerConnect switches) and attempted to run the same command. The Dell's don't support that command, so I had to run something like "show arp" or something to that effect to get similar information. I put all the data into an Excel file and can see many (but not all) of the devices on my network, and can tell which port each of those is connected to on which switch, but I cannot find this MAC address anywhere on the network. I have run a couple of different network scanners and they can't see anything on the IPs that this device(s) consume. So I'm at a bit of a loss here.

It appears to be consuming DHCP IPs, but there is no other record of the device anywhere that I can find.

For now, the only thing I've been able to do is to log in to the switch each morning, run the "show ip dhcp binding" and then "clear ip dhcp binding xxx.xxx.xxx.xxx" for each of the 10 IPs it is consuming.

I really want to figure out where this device is coming from so I can handle it properly.

Does anyone know what I can do to determine what the device(s) is, and how it is connecting to my network so I can handle appropriately?

Zach S · ‎10-15-2015

Show arp won't give you information on the Dell switches if they aren't layer3 devices. A quick google looks like the command on the Dell PowerConnect switches is "show mac address-table". Double check on the dell's to see if you have any options like that.

lwillmann · ‎10-16-2015

That command doesn't work on the Dell switches. It's an 'unrecognized command'.

I would think that the Cisco would show me the MACs and that they are coming in one of the fiber ports (links to the other switches) at the very least. But these strange MAC addresses don't show on the mac address-table on the Cisco switch. The only place they show up is on the dhcp binding list.

John Blakley · ‎10-16-2015

The Dell switches will use "show bridge address" and you can find them that way...

HTH, John *** Please rate all useful posts ***

lwillmann · ‎10-21-2015

I tried the "show bridge address" and am unable to locate which switch these strange MAC addresses are coming from.

So I am still unable to determine what the device(s) is/are.

Robert Burlingame · ‎10-16-2015

Looks like you're seeing "client-identifiers" for Windows machines or some printers.

See:http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/27470-100.html

Take the 01 off that mac address and look for that in your mac tables. If you can't find it there, try running a ping sweep on all your subnets and looking in your arp tables.