4 Replies Latest reply on Nov 7, 2014 11:54 AM by RichardLetts

    Tracking unknown IP and MAC addresses: what product?

    akhasheni

      Say, a network discovery shows a new IP address and we figured out its Mac address via NMAP. What is the easiest way to track it down to a switch port it is physically connected to?

       

      • We do have SNMP monitoring of all of our switches via NPM 11. We don't have access to their dashboards with ARP tables as they're managed by another department. Is it possible to pull those ARP tables via SNMP? Can NPM do it?
      • Don't have NTM.
      • Not all of the physical interfaces on devices other than switches are monitored.
      • We do not have a physical network topology diagram (which port connects to what device etc.)

       

      So, is it possible to figure out what switch and what port a particular IP / MAC address combo is connected to, just via SNMP?

       

      Longer term, we'd like to inventorize our devices down to every interface and MAC address, so we could track down new ones and always know what our IP addresses are.

       

      What product(s) do we need for that?

       

      Thanks!

        • Re: Tracking unknown IP and MAC addresses: what product?
          RichardLetts

          NPM could poll for the ARP data, and might be fairly efficient at it, but the pollers would have to cope with possibly large volumes of data.

          note: if you have VRFS (we have well over 50) then polling arp data using SNMP will be challenging (and potentially very expensive), depending on which manufacturer you are using, and if it's a full vrf or vrf-lite.

           

          Solarwinds' IPAM product is fairly good at mapping IP<>MAC information, but it does not record the switch ports.

          Solarwinds' UDT product is ok at mapping IP<>MAC information, and MAC<>port information.

          both products lack an API, and have some fairly big limitations so I'd suggest thoroughly testing them in your environment before purchasing.

           

          If you would like an open-source package then Network Tracking Database | SourceForge.net is an alternative.

          1 of 1 people found this helpful
            • Re: Re: Tracking unknown IP and MAC addresses: what product?
              akhasheni

              NPM could poll for the ARP data, and might be fairly efficient at it, but the pollers would have to cope with possibly large volumes of data.

              Via Layer 3 topology?


               

              We're already polling for that (probably unwisely) and not getting full tables. On a switch with 20+ "up" ports, "NPM Network Topology" table only shows 10 connections of which five are L2 and show "unknown" interfaces. Something's not right here?

              note: if you have VRFS (we have well over 50) then polling arp data using SNMP will be challenging (and potentially very expensive), depending on which manufacturer you are using, and if it's a full vrf or vrf-lite.

              Not sure if we do, will look into it. We have about 10 switches with about 300 interfaces between them. A number of them are Cisco 3560 series managed by our "parent" department that allows us to poll them; trying to use snmpwalk to get ARP tables times out on theirs though while working on our own switches...

              snmpwalk -v 2c -c public 192.168.200.41 .1.3.6.1.2.1.3.1.1.2

              Solarwinds' IPAM product is fairly good at mapping IP<>MAC information, but it does not record the switch ports.

              Solarwinds' UDT product is ok at mapping IP<>MAC information, and MAC<>port information.

              both products lack an API, and have some fairly big limitations so I'd suggest thoroughly testing them in your environment before purchasing.

               

              If you would like an open-source package then Network Tracking Database | SourceForge.net is an alternative.

              Been looking at UDT and IPAM; didn't know about NTB, will look into it.

               

              Thank you Richard!

            • Re: Tracking unknown IP and MAC addresses: what product?
              Leon Adato

              While I am still coming up to speed on IPAM, if you check out our DEMO pages you can see that nodes are definitely mapped to ports

               

              Here's the UDT summary page:

              http://oriondemo.solarwinds.com/Orion/UDT/Summary.aspx

               

              And here's a "rogue" MAC that is connected to Fa0/0:

              http://oriondemo.solarwinds.com/Orion/UDT/EndpointDetails.aspx?NetObject=UE-MAC:VAL=78:f5:FD:A4:C5:BA