[TCLUG] Tracking down a MAC address

Thu Apr 22 16:29:24 CDT 2004

when last we saw our hero (Thursday, Apr 22, 2004), 
 Jeffery Rasmussen was madly tapping out:
> 
> I have seen MAC addresses when I run etherape but I believe etherape
> uses ethereal to pick up its information.

if you have decent switching infrastructure you should be able to
pinpoint the port and the vlan that the mac address is showing up on.  

when you have that information you can snake your way back through the
switches and the wiring to find the offending device.  this works
regardless of the L3 protocol in use.  

from an ios based switch in my lab...

mgmt-sw2#sh mac-address-table dynamic 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0005.ddc0.9901    DYNAMIC     Fa0/18
  10    000d.6535.ec71    DYNAMIC     Fa0/2
  10    000f.249a.43a0    DYNAMIC     Fa0/1
  10    0030.194c.9f00    DYNAMIC     Fa0/23
  10    00d0.ba04.d6ab    DYNAMIC     Gi0/1
  10    0800.20a0.576b    DYNAMIC     Gi0/1
   1    0050.538d.2800    DYNAMIC     Fa0/16

if i wanted to put the smack down on the device with mac address
0030.194c.9f00  on fa0/23 but i had several devices strung off that
port on the switch, i'd put a mac-address acl in place.  then start
the manual and painful hunt for the offending device.  if there's a
mess of hubs and such strung together start the binary tree search for
the device with a laptop and access to yank cables.  let this be a
lesson as to why flat L2 networks are bad things. ;-)

here's a config snippet for the mac acl.

mac access-list extended foo
 deny   host 0030.194c.9f00 any
!
interface FastEthernet0/23
 description -> c6400-2-nsp - e0/0/0
 switchport access vlan 10
 switchport mode access
 mac access-group foo in
 spanning-tree portfast
!

if you lack switching infrastructure capable of doing something along
these lines ... well, i'm sorry.

> -----Original Message-----
> From: Brian [mailto:lxy at cloudnet.com]
> Sent: Thursday, April 22, 2004 2:19 PM
> To: tclug-list at mn-linux.org
> Subject: [TCLUG] Tracking down a MAC address
> 
> 
> The other day we had a NIC broadcasting some bogus IPX SAP info.  I
> got the MAC address because our Netware servers were all displaying
> the MAC info while complaining.
> 
> Using all the tools at hand, I was unable to track it down.  I
> viewed the router's ARP table, no luck there.  I narrowed it down to
> one ethernet segment and strated up ethereal.  No luck, this MAC
> address wasn't showing up anywhere.
> 
> Is there a good tool to view all the MAC addresses connected to a
> specific segment?

{ snipped - misc .signatures }

-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list