cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
506
Views
5
Helpful
0
Replies
Highlighted

Map ARP records to device manufacturer

 

A  core switch maintains an ARP table that maps a devices MAC address to its IP Address. You can easily display this table by entering "show ip arp" but it isn't sorted and on a large network will contain thousands of entries.

I wrote a simple python 3 script (ARP-Sort) that takes the output, cleans it up and then displays it in four sections:

  • IP address only
  • IP address and MAC address
  • IP address, MAC address and VLAN ID
  • IP address, MAC address and manufacturer.

Here is a snippet of the output:

Number of IP Addresses: 839
10.10.246.52
10.10.246.53
10.10.246.54

...

Number of IP and MAC Addresses: 839
10.10.246.52 2c31.2451.7fc1
10.10.246.53 286f.7f68.4c80
10.10.246.54 286f.7f68.5400

...

Number IP, MAC and VLAN: 839
10.10.246.52 2c31.2451.7fc1 246
10.10.246.53 286f.7f68.4c80 246
10.10.246.54 286f.7f68.5400 246

...

Number IP, MAC and Manufacture: 839
10.10.246.52 2c31.2451.7fc1 Vendor(manuf='Cisco', comment=None)
10.10.246.53 286f.7f68.4c80 Vendor(manuf='Cisco', comment=None)
10.10.246.54 286f.7f68.5400 Vendor(manuf='Cisco', comment=None)

...

One issue is that the ARP table will delete devices that haven't communicated for a while. You can try to ping the broadcast mask - ping 10.10.246.255 - but a lot of devices don't respond to a broadcast ping. I wrote a script that takes the output from "sh run | i ^interface|^_ip address" and parses subnets and pings all host. I have had good luck with this script refreshing the switch's arp table. The script is available here https://github.com/rikosintie/pingSVI 

I use the output for several things. If I'm replacing a core switch I will save the output before the change then run it after the change. Since the output is sorted it's easy to use a file diff tool so see any differences. I use Meld (Meld File compare) on Linux\Windows to compare files. On Windows, Notepad++ is also a good tool.

I also use a free tool called PingInfoView from nirsoft.net. This tool takes a text file with IP/Host name  entries and pings each device. I just run sh ip arp vlan x for the vlan of interest, run the script and paste the output into PingInfoView. It uses the MAC as the hostname but that is fine for a lot of situations. I set up a separate monitor off my laptop and create a "Dashboard" of PingInfoViews for Servers, Switches, Vlans, etc. that are critical.

Finally, I use the output with the manufacturer to look for specific manufactures. If you need to look for devices on specific interfaces I wrote another script that takes the output of "show mac add int g1/0/1 | i Gi" and maps MAC addresses to interfaces. Here is output from it:
Number Entries: 305

Vlan MAC Address Interface
30 001e.f728.ab8f Gi1/0/1 Vendor(manuf='Cisco', comment=None)
****************************************************************************
30 2c27.d751.48d8 Gi1/0/1 Vendor(manuf='HewlettP', comment=None)
****************************************************************************

This script is available here - MAC2Manuf

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards