9 Replies Latest reply on Dec 28, 2015 12:40 PM by dlunsford214

    Need a UDT report that shows MAC addresses that have moved


      I know that I can use the OOB report named "UDT: All Endpoints" to see what MAC addresses and IPs are attached to what switch port at any point in time.


      What I need is to have a report that will list any MAC address/IP address that has moved switch ports during whatever time period I designate.


      The intention is to use this report to make sure that as we proceed with replacing old switches, we are able to plug endpoints back into the same port number as before and document it when something has moved.


      Any ideas? I could do this by exporting the report into Excel and doing some sorting, but I would rather have a report.


      Thanks for helping me.

          • Re: Need a UDT report that shows MAC addresses that have moved



            I confess I'm no UDT user.  When I need that kind of information I'm forced to do a ping sweep of the segments on a switch, then run Switch Port Mapper against the switch (and its routing interface, probably upstream, for the ARP tables).  Then I save that information in Excel format and compare it to a later duplicate process run after a switch has been replaced.


            I'm certain UDT is the way to go for you, but I wanted you to know you're not being ignored.  My way isn't a great one, but it can do the job for you until you find the right report response from a UDT expert.


            Swift Packets!


            Rick S.

              • Re: Need a UDT report that shows MAC addresses that have moved
                Craig Norborg

                Well, you can get this info out of UDT as-is.  If you search by a mac-address, it will give you a history.  But I'm guessing you're looking for a report that will take a given switch and report on the mac's that have moved on that switch, or even possibly to a new switch?  Right off hand I can't think of an easy way to do that in a good way, I think a lot depends on exactly how you define the problem.


                Check this query out for example.  I take a specific switch (SelectedSwitchName" in red) and get the last weeks worth of MAC addresses seen on that switch.   I then do a search over the previous month for where these MAC addresses have been.   Just on the one switch I was playing with I have 597 rows of data as a result.


                SELECT DISTINCT PortID, PTEH.Endpoint.MACAddress, PTEH.Port.Name, PTEH.Port.Node.SysName

                FROM Orion.UDT.PortToEndpointHistory PTEH

                WHERE (PTEH.LastSeen > AddMonth(-1, GetDate())) AND (PTEH.Endpoint.MACAddress IN (SELECT PTEH2.Endpoint.MACAddress FROM Orion.UDT.PortToEndpointHistory PTEH2 WHERE (PTEH2.Port.Node.Sysname LIKE 'SelectedSwitchName%') AND (PTEH2.LastSeen > AddWeek(-1, GetDate()))))

                ORDER BY PTEH.Endpoint.MACAddress, PTEH.Port.Node.Sysname, PortID, PTEH.Port.Name


                Now, you might be wondering why I don't have the date at which the MAC was seen as one of the fields.  I purposely removed it in order to get the DISTINCT I have to function.  The problem is that UDT goes out and discovers whats on your switchports on a schedule that you can set.   If you set this interval too far apart, you can miss it when something goes from one switchport to another and then back again.   If you set it too often, you will not only make your server busy, but you'll gather a ton of data.  On the switch I was working with, removing the DISTINCT and adding the date/time when the port was seen blew it up from 597 rows to about 25000.


                Part of my problem is that I am monitoring uplink ports, which means that not only is the MAC seen on the switchport it is actually on, but it will be seen on all the uplinks too.   Then you have clients that can easily go from switch to switch, namely wireless ones.


                I guess what I'm getting at is that unless things are done is a very particular way - things like no uplinks monitored, no access-point ports monitored, etc. etc. you will probably end up with more data than you wanted.  And the data IMHO has limited usability without the datestamp on it, which blows the data up even more-so...


                Maybe if you put more restrictions on it than I had, it might help.   But even cutting the timeframe from a Month to a Week only took it from 597 rows to 549 rows.


                So, unless someone can better think of how to constrain the data that would be returned, I'm giving up on this one.

                  • Re: Need a UDT report that shows MAC addresses that have moved

                    That's good input Craig. Thanks.


                    I don't know if it helps to get to a final solution, but what I want to do is use this report to make sure that when we replace a switch, we can certify that the connections for the new switch are exactly the same as the ones on the old switch. We just want to make sure a tech did not get sloppy when plugging cables in the new switch. I'm sure a report that shows a current snapshot of the MAC to port information is easy. I want a report that automagically shows any MACs that are not where they were at some designated point in the past.

                      • Re: Need a UDT report that shows MAC addresses that have moved
                        Craig Norborg

                        Yea, the only problem with that is that someone out there has to translate "automagic" into actual code!!  :-)


                        And getting a report with hundreds of rows tends to hurt more than it helps.   Just trying to show the difficulties in doing what you want. 


                        I'm tending to agree with getting a copy of the Engineers toolkit, run the switchport mapper to get a "Before" snapshot and manually compare it with the "after" snapshot.


                        When I used to work at a job that did a bunch of replacing due to out-of-date or off-lease switches, we would take a quick look at the switch ahead of time to look for ports that has any sort of special configuration - like a different VLAN, and keep a copy of only those ports and their configurations.  Otherwise we didn't really care if they changed ports.

                      • Re: Need a UDT report that shows MAC addresses that have moved

                        Is there a way to simply list unique/distinct MAC addresses that have connected to network over a given time (say a quarter)?


                        I need to do some security reports using that data.


                        Ideally i would like to correlate that data with the output from the rogue AP report to see if any of those MAC addresses also showed up on LAN switches.


                        Since network locations include airport terminals, the rogue AP list is in the thousands, so automating this as much as possible would be pretty awesome.