Tracking down a client's port

Discussion in 'Cisco' started by Matt White, Aug 19, 2005.

  1. Matt White

    Matt White Guest

    Newsgroup -

    I have a network made up of 2950s and 3508s. There's six TCs, each with
    a pile of 2950s connected together via GigaStack, and the closets are
    connected together via the 3508s with fiber on a GBIC.

    Every time I need to track down the port that a client is on (starting
    only from the IP address), I have a rather lengthy procedure that I follow:

    - Get on the first 3508 and ping the IP address.
    - Look at the ARP table on the switch to find the MAC address.
    - Look at the MAC address table to see which port the MAC is assigned
    to. If a switch isn't connected to that port, I've found my port.
    - Look at the CDP neighbors table to see which switch is connected to
    the port the MAC address is connected to. (If it's on the GigaStack
    link, this could take a while since you don't know WHICH switch in the
    stack you're looking for.)
    - Jump over to that switch, look at the MAC address table. If it's
    connected to another switch, repeat until the end port is found.

    This works, but it takes a while. Every time I do this I end up thinking
    "You know, there has to be an easier way to do this..."

    Is there? :)

    - Matt
    Matt White, Aug 19, 2005
    #1
    1. Advertising

  2. Matt White wrote:

    > This works, but it takes a while. Every time I do this I end up thinking
    > "You know, there has to be an easier way to do this..."
    >
    > Is there? :)


    trace mac <mac address> <mac address>

    --
    Joop van der Velden -
    Joop van der Velden, Aug 19, 2005
    #2
    1. Advertising

  3. Matt White

    Matt White Guest

    Joop van der Velden wrote:

    > trace mac <mac address> <mac address>


    "Error: Device has Multiple CDP neighbours on source port."

    The device I'm looking for is on the GigaStack... so that is a correct
    statement.

    At least that'll be handy in places where we don't use a GigaStack.

    - Matt
    Matt White, Aug 19, 2005
    #3
  4. Matt White

    Rainer Nagel Guest

    Hi Matt,

    On Fri, 19 Aug 2005 10:59:18 -0400,
    Matt White <> wrote:

    > Every time I need to track down the port that a client is on (starting
    > only from the IP address), I have a rather lengthy procedure that I follow:
    >
    > - Get on the first 3508 and ping the IP address.
    > - Look at the ARP table on the switch to find the MAC address.
    > - Look at the MAC address table to see which port the MAC is assigned
    > to. If a switch isn't connected to that port, I've found my port.
    > - Look at the CDP neighbors table to see which switch is connected to
    > the port the MAC address is connected to. (If it's on the GigaStack
    > link, this could take a while since you don't know WHICH switch in the
    > stack you're looking for.)
    > - Jump over to that switch, look at the MAC address table. If it's
    > connected to another switch, repeat until the end port is found.
    >
    > This works, but it takes a while. Every time I do this I end up thinking
    > "You know, there has to be an easier way to do this..."


    I use a perl script for this.
    The switchport description says which switch or host is connected on
    this port so i don't need cdp.
    And it can ask all routers and firewalls in our data center for their
    arp tables.

    Ciao
    --
    Rainer Nagel

    Duesseldorfer Linux User Group - http://www.dlug.de
    Rainer Nagel, Aug 25, 2005
    #4
  5. In article <>,
    Rainer Nagel <> wrote:
    :I use a perl script for this.
    :The switchport description says which switch or host is connected on
    :this port so i don't need cdp.
    :And it can ask all routers and firewalls in our data center for their
    :arp tables.

    Unfortunately this doesn't generalize to all vendors. For example,
    the Nortel Baystack switch series (4x0 and 5510 both) do not have
    any SNMP mechanism for retrieving the user-assigned switchport description:
    instead one gets the system-generated description such as
    "BayStack 450-24T - Unit 3 Port 7".

    Even within Cisco, there is no way to assign a port description on
    with PIX software at least up to 6.x.

    Another challenge is that when you are working with a mix of devices,
    there are -three- MAC tables you have to probe, not just one.
    ifPhysAddress atPhysAddress ipNetToMediaEntry . And the format of
    the result of the latter two of those is not consistant from device
    type to device type. For example, in some cases (Nortel Accelar/Passport)
    you have to do a binary decomposition of the port identifier in order
    to find out what the portindex is.

    Then there are challenges involving the devices lying or
    returning incomplete results, with the -kind- of lying they do
    dependant on whether you are using snmpget, snmpwalk, or snmpbulkget ...


    All in all, it's a non-trivial effort to write -reliable- generalized
    MAC probe scripts for homogenous devices. And you often still don't
    get the information you are looking for because of ARP table timeouts...
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Aug 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Emilio Recio

    Tracking Client Auth in WLSE/WLSM/WDS

    Emilio Recio, Mar 10, 2006, in forum: Cisco
    Replies:
    0
    Views:
    483
    Emilio Recio
    Mar 10, 2006
  2. Bobby

    Need help tracking down email spoofer

    Bobby, Dec 28, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    893
    Norman Miller
    Dec 29, 2003
  3. Miss Perspicacia Tick

    Slightly OT: Tracking down 64-bit drivers

    Miss Perspicacia Tick, Jan 29, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    803
  4. 281 cu. in.

    Re: Tracking People and Companies Down

    281 cu. in., Jul 31, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    838
    281 cu. in.
    Jul 31, 2003
  5. Edw. Peach

    Tracking Someone Tracking Me

    Edw. Peach, Jun 15, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    650
    Olden Doode
    Jul 7, 2005
Loading...

Share This Page