How to find source of MAC-address

Answered Question
Feb 4th, 2010

Hi, imagine someone reports that in company network management alarm shows a certain machine which  broadcasts to bootp and only info available is MAC-address.

Anyone has any good methodology on how to track and find a node given only the MAC-address info?

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 9 months ago

Hello Marlon,

is DHCP service enabled in vlan3 or not?

if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.

Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds

check also with

sh ip arp | inc 0015.211c.1e89

on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.

Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)

http://standards.ieee.org/regauth/oui/index.shtml

by inserting the OUI in format HH-HH-HH or simply HHHHHH

that is 001521 in your case we get:

00-15-21   (hex)          Horoquartz
001521     (base 16)          Horoquartz
                    BP 251
                    FONTENAY LE COMTE VENDEE 85205
                    FRANCE

looking for the web page of this company, you can discover they sell also badge readers for access control.

Well it is also possible that some device has a fake MAC address and it using this OUI.

Or someone has installed a device from that company

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Thu, 02/04/2010 - 12:51

Hello Marlon,

the best way is to start from the distribution/core switches of the campus network

Edit:

step0 if starting from an IP address

telnet to default gateway of given IP address A.A.A.A

sh ip arp | inc A.A.A.A

using

step1

sh mac address-table address HHHH.HHHH.HHHH

OR

sh mac-address-table address HHHH.HHHH.HHHH

( IOS release dependent)

catOS

sh cam HH-HH-HH-HH-HH-HH

you can find out the interface on which the mac address has been learned

step2

if CDP is enabled you can find out what access switch the MAC address is learned from

sh cdp  n typex/y

sh cdp n x/y (catos)

step3

telnet to that switch and repeat step1

do this until you find an access port where the device is located.

if CDP is not enabled you should look at sh run interface typex/y and to look at description to see what switch is on that port on core/distribution switch.

this method works well.

Hope to help

Giuseppe

news2010a Thu, 02/04/2010 - 14:09

mysite-suc-gw1#show mac-address-table address 0015.211c.1e89

mysite-suc-gw1#

vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
   3    0015.211c.1e89   dynamic ip                    FastEthernet3/2


mysite-suc-gw1#show cdp neig f3/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
mysite-suc-sw.c    Fas 3/2           121           S I      WS-C2960- Gig 0/1

mysite-suc-gw1#


Observation:I have 2 other 2960 switches connected via trunk to such mysite-suc-sw with all ports also on vlan3.
I did 'show mac-address-table' and 'show arp' on them and I see no MAC 0015 there though.

mysite-suc-sw#show mac address-table address 0015.211c.1e89
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   3    0015.211c.1e89    DYNAMIC     Gi0/2
Total Mac Addresses for this criterion: 1


So this points to the secondary layer 3 switch which is doing route. If I repeat the process, I will go back to seeing the MAC learned from mysite-suc-sw port f3/2.


mysite-suc-sw#show cdp neig g0/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
mysite-suc-gw2.c   Gig 0/2           166             R S I  WS-C4507R Fas 3/2

So at this point I still can't see the switchport the broadcast MAC is coming from. Any idea what I am missing? I imagine the MAC address could be learned via the other (2) 2960 connected to mysite-suc-sw, but again I did show-mac-address and show arp for every switch and I still don't see the access port listed there.

Correct Answer
Giuseppe Larosa Thu, 02/04/2010 - 14:29

Hello Marlon,

is DHCP service enabled in vlan3 or not?

if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.

Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds

check also with

sh ip arp | inc 0015.211c.1e89

on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.

Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)

http://standards.ieee.org/regauth/oui/index.shtml

by inserting the OUI in format HH-HH-HH or simply HHHHHH

that is 001521 in your case we get:

00-15-21   (hex)          Horoquartz
001521     (base 16)          Horoquartz
                    BP 251
                    FONTENAY LE COMTE VENDEE 85205
                    FRANCE

looking for the web page of this company, you can discover they sell also badge readers for access control.

Well it is also possible that some device has a fake MAC address and it using this OUI.

Or someone has installed a device from that company

Hope to help

Giuseppe

news2010a Thu, 02/04/2010 - 14:38

Hey, thanks for all this info.


Yes, I see that on both layer 3 4507's, under int vlan 3 SVI I do have ip-helper configured correctly.

I did 'sh ip arp | inc 0015.211c.1e89' on both 4507's and I got nothing. So yes, it is known that devices are rebooting in a loop because there are lots of bootp messages on the monitoring tool.

So it seems from here I will ask the techies to search for that model of device possibly rebooting because it seems I can't do more than this.

Thanks again.

Actions

This Discussion