How to find source of MAC-address

Answered Question
Feb 4th, 2010
User Badges:

Hi, imagine someone reports that in company network management alarm shows a certain machine which  broadcasts to bootp and only info available is MAC-address.


Anyone has any good methodology on how to track and find a node given only the MAC-address info?

Correct Answer by Giuseppe Larosa about 7 years 4 months ago

Hello Marlon,

is DHCP service enabled in vlan3 or not?


if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.

Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds


check also with


sh ip arp | inc 0015.211c.1e89


on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.


Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)


http://standards.ieee.org/regauth/oui/index.shtml


by inserting the OUI in format HH-HH-HH or simply HHHHHH


that is 001521 in your case we get:


00-15-21   (hex)          Horoquartz
001521     (base 16)          Horoquartz
                    BP 251
                    FONTENAY LE COMTE VENDEE 85205
                    FRANCE


looking for the web page of this company, you can discover they sell also badge readers for access control.


Well it is also possible that some device has a fake MAC address and it using this OUI.


Or someone has installed a device from that company


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Thu, 02/04/2010 - 12:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marlon,

the best way is to start from the distribution/core switches of the campus network


Edit:

step0 if starting from an IP address

telnet to default gateway of given IP address A.A.A.A

sh ip arp | inc A.A.A.A



using


step1


sh mac address-table address HHHH.HHHH.HHHH

OR

sh mac-address-table address HHHH.HHHH.HHHH


( IOS release dependent)


catOS


sh cam HH-HH-HH-HH-HH-HH


you can find out the interface on which the mac address has been learned


step2


if CDP is enabled you can find out what access switch the MAC address is learned from


sh cdp  n typex/y


sh cdp n x/y (catos)


step3


telnet to that switch and repeat step1


do this until you find an access port where the device is located.


if CDP is not enabled you should look at sh run interface typex/y and to look at description to see what switch is on that port on core/distribution switch.


this method works well.


Hope to help

Giuseppe

news2010a Thu, 02/04/2010 - 14:09
User Badges:

mysite-suc-gw1#show mac-address-table address 0015.211c.1e89

mysite-suc-gw1#

vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
   3    0015.211c.1e89   dynamic ip                    FastEthernet3/2



mysite-suc-gw1#show cdp neig f3/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
mysite-suc-sw.c    Fas 3/2           121           S I      WS-C2960- Gig 0/1

mysite-suc-gw1#



Observation:I have 2 other 2960 switches connected via trunk to such mysite-suc-sw with all ports also on vlan3.
I did 'show mac-address-table' and 'show arp' on them and I see no MAC 0015 there though.



mysite-suc-sw#show mac address-table address 0015.211c.1e89
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   3    0015.211c.1e89    DYNAMIC     Gi0/2
Total Mac Addresses for this criterion: 1



So this points to the secondary layer 3 switch which is doing route. If I repeat the process, I will go back to seeing the MAC learned from mysite-suc-sw port f3/2.


mysite-suc-sw#show cdp neig g0/2
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
mysite-suc-gw2.c   Gig 0/2           166             R S I  WS-C4507R Fas 3/2



So at this point I still can't see the switchport the broadcast MAC is coming from. Any idea what I am missing? I imagine the MAC address could be learned via the other (2) 2960 connected to mysite-suc-sw, but again I did show-mac-address and show arp for every switch and I still don't see the access port listed there.

Correct Answer
Giuseppe Larosa Thu, 02/04/2010 - 14:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marlon,

is DHCP service enabled in vlan3 or not?


if it is not enabled the device is simply trying to get an answer from a DHCP server with bootp.

Unfortunately not getting an answer it will be silent and will be removed from CAM tables within 300 seconds


check also with


sh ip arp | inc 0015.211c.1e89


on layer3 devices only the C2960 cannot have it in ARP table unless their management IP address is in the same Vlan 3.


Another important tool in this kind of search is to identify the vendor from the first 3 bytes of MAC address (OUI)


http://standards.ieee.org/regauth/oui/index.shtml


by inserting the OUI in format HH-HH-HH or simply HHHHHH


that is 001521 in your case we get:


00-15-21   (hex)          Horoquartz
001521     (base 16)          Horoquartz
                    BP 251
                    FONTENAY LE COMTE VENDEE 85205
                    FRANCE


looking for the web page of this company, you can discover they sell also badge readers for access control.


Well it is also possible that some device has a fake MAC address and it using this OUI.


Or someone has installed a device from that company


Hope to help

Giuseppe

news2010a Thu, 02/04/2010 - 14:38
User Badges:

Hey, thanks for all this info.


Yes, I see that on both layer 3 4507's, under int vlan 3 SVI I do have ip-helper configured correctly.


I did 'sh ip arp | inc 0015.211c.1e89' on both 4507's and I got nothing. So yes, it is known that devices are rebooting in a loop because there are lots of bootp messages on the monitoring tool.


So it seems from here I will ask the techies to search for that model of device possibly rebooting because it seems I can't do more than this.


Thanks again.

Actions

This Discussion