3 Replies Latest reply on Jun 3, 2010 2:17 PM by greg@solarwinds.net

    Identify, hunt down, and kill rogue machine

    frank@moneymailer.com

      Yesterday we started experiencing some weird behavior on the network... turns out someone brought a personal laptop to the office to listen to music...  that machine connected to the wireless network but unbeknownst to the user or my helpdesk it had ICS (Internet Connection Sharing) turned on on that NIC...  Other users started to complain that they'd lost access to the internet...  we identified the bad-machine by using NSLOOKUP on an affected machine...

      Now I have a MAC address of a machine that's causing problems on my network... Network Swith Mapper can find the MAC address on a port but what do i do if I have 22 Cisco switches on the network... 

      Is there a way to figure out what port on what switch a mac address is on with Engineers Toolset or Orion NPM?  Something that can scan everything?

        • Re: Identify, hunt down, and kill rogue machine

          Frank - you can use the Workspace Studio's MACFinder gadget in the Engineer's Toolset to query all your access switches at the same time, then once it is found, right mouse click on the interface and disable it, or you could use our LanSurveyor product and add the Wireless MAC as a MAC address you never want on the network.

          Alternately, you could Orion NCM to execute a script on all your AP's (or a controller if they are thin) to not allow that MAC on the wireless...

          HTH,

          Greg

            • Re: Identify, hunt down, and kill rogue machine

              Greg,

              You are saying the the tool set has the ability to track down an IP to the switchport level?

                • Re: Identify, hunt down, and kill rogue machine

                  Indirectly; let me explain further...

                  Frank has a MAC Address he wants to find in his switches, which is not a problem because the MAC will be in the bridge table, and you can then find out if it is an access port or a trunk port. 

                  Since most applications obtain the IP Address for a given MAC from ARP Tables, you can do a very inaccurate lookup using those.  The Switch Port Mapper Gadget in the Toolset's Workspace Studio allows you to get the ARP Table from the switch (if it is L3) or a totally different device (one that will hopefully have it's MAC in it's ARP table.)

                  The MAC Finder gadget does not do any IP Address lookups simply because it would have so much ARP table information that the MAC Address could possibly resolve to many IPs (gateways, Proxy ARPs, etc) that we would not know which one was correct.

                  HTH,

                  Greg