08-25-2011 06:35 AM - edited 03-07-2019 01:53 AM
Hi all,
i've one port (GigEth, if depends) w/o description and I need to identify device on this port (remotely, indeed ) . I've tried MAC table (empty for that port), I've tried to shutdown the port down and enable it again, I've tried to ping whole subnet - still no MAC entry for that port.
Is there any other way to identify the remote device? As it's the SAN port, i do not want to disable it and wait "what will fall down"
Thanks!
R.*
Solved! Go to Solution.
08-25-2011 06:42 AM
Hello Radovan,
Is it possible that the device is a transparent device generating no frames, i.e. an unmanaged switch, perhaps a traffic analyzer or similar?
I assume that the device does not manifest itself in CDP nor LLDP neighbor tables.
Best regards,
Peter
08-25-2011 07:19 AM
Hello Rado,
Hmmm, I am afraid we are out of luck - except, of course, tracing the cable If the device decides to remain silent, there is no L2 protocol that could force it to disclose its identity. We do not even know what protocols may be running on it as to try to "tickle" it with, say, STP.
The fact is that the device does not appear to generate any frames whatsoever, otherwise, its MAC address would already be recorded in the CAM. This fact suggests that it may be a device in some suspended state (perhaps a shutdown machine with just its LAN interface up, expecting Wake-on-LAN frames), or the operating system may be halted (kernel panic, BSOD), or it may be in some similar error state. For all we know is that the device is completely silent.
By the way, you have indicated that it is a GigE port. Can you post its configuration? Also please include the following output:
Thank you!
Best regards,
Peter
08-25-2011 11:01 AM
Hi Radovan.
Interesting. And what about the counters in show interface gi0/21? Are there any incoming frames recorded whatsoever?
And just to be sure - are there any ACLs on the port?
Best regards,
Peter
08-25-2011 06:42 AM
Hello Radovan,
Is it possible that the device is a transparent device generating no frames, i.e. an unmanaged switch, perhaps a traffic analyzer or similar?
I assume that the device does not manifest itself in CDP nor LLDP neighbor tables.
Best regards,
Peter
08-25-2011 06:52 AM
Hello Peter,
thank you for your reply!
I suppose it's some "forgotten" PC/server, in 99.999% it's not another switch/hub. No CDP neighbour is advertising on the port. We do not use LLDP - I'll try to turn it on, however I suppose it wont help in this case...
BRG,
R.*
08-25-2011 07:02 AM
Hello Peter,
I've turned on the LLDP and, as I expected, there are no LLDP information on that port...
R.*
08-25-2011 07:19 AM
Hello Rado,
Hmmm, I am afraid we are out of luck - except, of course, tracing the cable If the device decides to remain silent, there is no L2 protocol that could force it to disclose its identity. We do not even know what protocols may be running on it as to try to "tickle" it with, say, STP.
The fact is that the device does not appear to generate any frames whatsoever, otherwise, its MAC address would already be recorded in the CAM. This fact suggests that it may be a device in some suspended state (perhaps a shutdown machine with just its LAN interface up, expecting Wake-on-LAN frames), or the operating system may be halted (kernel panic, BSOD), or it may be in some similar error state. For all we know is that the device is completely silent.
By the way, you have indicated that it is a GigE port. Can you post its configuration? Also please include the following output:
Thank you!
Best regards,
Peter
08-25-2011 10:54 AM
Hello Peter,
yes, it could be some error state... I think, I'll sent some "cable guy" to trace the line (unfortunatelly, I'm 200+ km away)...
However, I'd like to try all possible ways to investigate the problem - for possible future use, you know :))
Here are the requested information:
It's Calatyst:
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 24 WS-C2960G-24TC-L 12.2(50)SE1 C2960-LANBASEK9-M
c3-2960G#sh int gi0/21 swi
Name: Gi0/21
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 410 (EG_iSCSI)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
c3-2960G#sh int gi0/21 statu
Port Name Status Vlan Duplex Speed Type
Gi0/21 connected 410 a-full a-1000 10/100/1000BaseTX
BRG,
R.*
08-25-2011 11:01 AM
Hi Radovan.
Interesting. And what about the counters in show interface gi0/21? Are there any incoming frames recorded whatsoever?
And just to be sure - are there any ACLs on the port?
Best regards,
Peter
08-25-2011 11:35 AM
Hi Peter,
it seems there are just broadcasts (3-5 packets per second in average - the total packets counter is growing equally to the bcasts counter).
There is just a "core" config on the port:
c3-2960G#sh run int gi0/21
Building configuration...
Current configuration : 106 bytes
!
interface GigabitEthernet0/21
switchport access vlan 410
switchport mode access
end
BRG,
R.*
08-25-2011 11:50 AM
Radovan,
Wait a sec. You have said that the broadcast counters are increasing... are they increasing for outgoing or incoming counters? Because if broadcasts are coming into the interface then their sender must be a unicast MAC address that should definitely be learned by the MAC address table on that port!
Just to make sure: check if there is a line in your configuration that says:
no mac address-table learning vlan 410
This line would deactivate learning MAC addresses on VLAN410.
Best regards,
Peter
08-25-2011 02:17 PM
Hi Peter,
you're right, it's very strange. The counters are incomming bcasts (recieved), however in the config there is no line like that you're posted... In fact, I've facing the empty CAM on port at the first time... I never see the port with empty CAM (at least after ping the whole subnet )
BRG,
R.*
08-25-2011 02:23 PM
Radovan,
This is getting even more strange. Are there any logging messages present that could be related to what is happening? See the show logging if the buffered logging is configured.
Ziga suggested using a SPAN session but you have explained that there is no free port on the switch. My question is: would it be possible to set up a RSPAN and to capture the monitored traffic over a RSPAN VLAN on a different switch?
Best regards,
Peter
08-25-2011 02:39 PM
Hi Peter,
there is no relevant message in the logging. Unfortunatelly, we are not archive the central syslog server more than one month, so that I cannot say if there was some relevant logging entry in the past...
I'll try to se up the RSPAN, however I do not know if I'll be able to set it up remotely (I work at home with just an VPN connection).
I'll let you in.
BRG,
R.*
08-26-2011 01:13 AM
Well, our "cable man" chekced it and the cable leads to an additional port on Edimax switch in our DEMO site - it's connected by two lines from two Cisco switches.
It's very strange to me - STP protocol does not apply! Both Cisco switches has that ports as Desg in Fwd state, even though there IS a loop... (both cisco switches is connected in between by trunk port including VLAN 410, both access ports leads to the same Edimax switch... And there is not entry anout STP in the syslog... I do not understand it!
Never mind, I have to change the connection schema.
Thank you very much for help with this issue, Peter!
R.*
08-25-2011 10:23 AM
Hello Radovan,
Do you believe you would be able to post the requested information? And by the way, what is the switch type and the IOS version?
Best regards,
Peter
08-25-2011 10:57 AM
I'm sorry, I missed your reply, my fault...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide