cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8859
Views
0
Helpful
16
Replies

Identify device on port

radovan.vojtek
Level 1
Level 1

Hi all,

i've one port (GigEth, if depends) w/o description and I need to identify device on this port (remotely, indeed ) . I've tried MAC table (empty for that port), I've tried to shutdown the port down and enable it again, I've tried to ping whole subnet - still no MAC entry for that port.

Is there any other way to identify the remote device? As it's the SAN port, i do not want to disable it and wait "what will fall down"

Thanks!

R.*

3 Accepted Solutions

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Radovan,

Is it possible that the device is a transparent device generating no frames, i.e. an unmanaged switch, perhaps a traffic analyzer or similar?

I assume that the device does not manifest itself in CDP nor LLDP neighbor tables.

Best regards,

Peter

View solution in original post

Hello Rado,

Hmmm, I am afraid we are out of luck - except, of course, tracing the cable If the device decides to remain silent, there is no L2 protocol that could force it to disclose its identity. We do not even know what protocols may be running on it as to try to "tickle" it with, say, STP.

The fact is that the device does not appear to generate any frames whatsoever, otherwise, its MAC address would already be recorded in the CAM. This fact suggests that it may be a device in some suspended state (perhaps a shutdown machine with just its LAN interface up, expecting Wake-on-LAN frames), or the operating system may be halted (kernel panic, BSOD), or it may be in some similar error state. For all we know is that the device is completely silent.

By the way, you have indicated that it is a GigE port. Can you post its configuration? Also please include the following output:

  • show interface XXX switchport
  • show interface XXX status

Thank you!

Best regards,

Peter

View solution in original post

Hi Radovan.

Interesting. And what about the counters in show interface gi0/21? Are there any incoming frames recorded whatsoever?

And just to be sure - are there any ACLs on the port?

Best regards,

Peter

View solution in original post

16 Replies 16

Peter Paluch
Cisco Employee
Cisco Employee

Hello Radovan,

Is it possible that the device is a transparent device generating no frames, i.e. an unmanaged switch, perhaps a traffic analyzer or similar?

I assume that the device does not manifest itself in CDP nor LLDP neighbor tables.

Best regards,

Peter

Hello Peter,

thank you for your reply!

I suppose it's some "forgotten" PC/server, in 99.999% it's not another switch/hub. No CDP neighbour is advertising on the port. We do not use LLDP - I'll try to turn it on, however I suppose it wont help in this case...

BRG,

R.*

Hello Peter,

I've turned on the LLDP and, as I expected, there are no LLDP information on that port...

R.*

Hello Rado,

Hmmm, I am afraid we are out of luck - except, of course, tracing the cable If the device decides to remain silent, there is no L2 protocol that could force it to disclose its identity. We do not even know what protocols may be running on it as to try to "tickle" it with, say, STP.

The fact is that the device does not appear to generate any frames whatsoever, otherwise, its MAC address would already be recorded in the CAM. This fact suggests that it may be a device in some suspended state (perhaps a shutdown machine with just its LAN interface up, expecting Wake-on-LAN frames), or the operating system may be halted (kernel panic, BSOD), or it may be in some similar error state. For all we know is that the device is completely silent.

By the way, you have indicated that it is a GigE port. Can you post its configuration? Also please include the following output:

  • show interface XXX switchport
  • show interface XXX status

Thank you!

Best regards,

Peter

Hello Peter,

yes, it could be some error state... I think, I'll sent some "cable guy" to trace the line (unfortunatelly, I'm 200+ km away)...

However, I'd like to try all possible ways to investigate the problem - for possible future use, you know :))

Here are the requested information:

It's Calatyst:

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    1 24    WS-C2960G-24TC-L   12.2(50)SE1           C2960-LANBASEK9-M  

c3-2960G#sh int gi0/21 swi

Name: Gi0/21

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 410 (EG_iSCSI)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

c3-2960G#sh int gi0/21 statu

Port      Name               Status       Vlan       Duplex  Speed Type

Gi0/21                       connected    410        a-full a-1000 10/100/1000BaseTX

BRG,

R.*

Hi Radovan.

Interesting. And what about the counters in show interface gi0/21? Are there any incoming frames recorded whatsoever?

And just to be sure - are there any ACLs on the port?

Best regards,

Peter

Hi Peter,

it seems there are just broadcasts (3-5 packets per second in average - the total packets counter is growing equally to the bcasts counter).

There is just a "core" config on the port:

c3-2960G#sh run int gi0/21

Building configuration...

Current configuration : 106 bytes

!

interface GigabitEthernet0/21

switchport access vlan 410

switchport mode access

end

BRG,

R.*

Radovan,

Wait a sec. You have said that the broadcast counters are increasing... are they increasing for outgoing or incoming counters? Because if broadcasts are coming into the interface then their sender must be a unicast MAC address that should definitely be learned by the MAC address table on that port!

Just to make sure: check if there is a line in your configuration that says:

no mac address-table learning vlan 410

This line would deactivate learning MAC addresses on VLAN410.

Best regards,

Peter

Hi Peter,

you're right, it's very strange. The counters are incomming bcasts (recieved), however in the config there is no line like that you're posted... In fact, I've facing the empty CAM on port at the first time... I never see the port with empty CAM (at least after ping the whole subnet )

BRG,

R.*

Radovan,

This is getting even more strange. Are there any logging messages present that could be related to what is happening? See the show logging if the buffered logging is configured.

Ziga suggested using a SPAN session but you have explained that there is no free port on the switch. My question is: would it be possible to set up a RSPAN and to capture the monitored traffic over a RSPAN VLAN on a different switch?

Best regards,

Peter

Hi Peter,

there is no relevant message in the logging. Unfortunatelly, we are not archive the central syslog server more than one month, so that I cannot say if there was some relevant logging entry in the past...

I'll try to se up the RSPAN, however I do not know if I'll be able to set it up remotely (I work at home with just an VPN connection).

I'll let you in.

BRG,

R.*

Well, our "cable man" chekced it and the cable leads to an additional port on Edimax switch in our DEMO site - it's connected by two lines from two Cisco switches.

It's very strange to me - STP protocol does not apply! Both Cisco switches has that ports as Desg in Fwd state, even though there IS a loop... (both cisco switches is connected in between by trunk port including VLAN 410, both access ports leads to the same Edimax switch... And there is not entry anout STP in the syslog... I do not understand it!

Never mind, I have to change the connection schema.

Thank you very much for help with this issue, Peter!

R.*

Hello Radovan,

Do you believe you would be able to post the requested information? And by the way, what is the switch type and the IOS version?

Best regards,

Peter

I'm sorry, I missed your reply, my fault...