6

I have a Cisco Catalyst that has a port that is up up, and the device does not show in the ARP table. The MAC address-table shows a MAC address for the port. What can I do from that switch to find out what the device is?

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Kendrick
  • 351
  • 1
  • 11
  • If you know what IP scope the device is located in, for instance by checking what VLAN it's assigned to, scanning the network subnet (with an IP scanner) might help updating the ARP and therefore show what IP is assigned to that device. I use this on a weekly basis in order to find devices which has the problem you describe. –  Oct 27 '17 at 05:54
  • no knowledge of what ip its trying to grab it doesn't match the vlan etc. it may be any thing from a forgotten ipcam that reset back to factory defaults to an illegal device that some one tried to put on the network. – Kendrick Oct 28 '17 at 04:20

3 Answers3

5

ARP is a protocol to resolve a layer-3 address to a layer-2 address. If there is no layer-3 address assigned to the device, then ARP cannot help you.

Apparently, the device is sending frames because the MAC address shows in your MAC address table. You can check the OUI to see the NIC manufacturer of the device. You could also try CDP and LLDP to see if the device responds to either of those.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • It would not normally respond to cdp lldp unfortunatly. Some of the ip cams will show up in the power statistics that way to. – Kendrick Oct 28 '17 at 04:22
  • LLDP is the industry standard for discovery. There really is nothing else to help you. – Ron Maupin Oct 28 '17 at 06:28
  • Is it a possibility to add a mirrored port and then use a packet sniffer to read the frames and see what ip address they claim to be from? or would a switch vlan not care what ip address the machine tries to claim. ie vlan1=10.1.1.0 and mystery device = 192.168.1.2 at which point the arp on the cisco could see the 192.168.1.2 address regaurdless of what the vlan is being used for just not route the traffic? – Kendrick Nov 08 '17 at 15:35
  • Maybe, if the device actually has an IP address assigned, but this seems like a lot of work. I know your question is about finding it using the switch, but if you are going to go to all this trouble, wouldn't it be easier to look in the DHCP server, or check the ARP table on the router? – Ron Maupin Nov 08 '17 at 15:39
  • I was asking the question from the prospective of some one gets hired to replace the 1 it guy in the shop who designed every thing and never documented any thing, and then the switch gets wiped/damaged. Some devices are set statically for example 3 of the 4 security cameras have a static ip out of the box and if the device resets to default or something wierd you then don't know what ip it is using w/o the box. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swlldp.html for the lldp commands. – Kendrick Nov 08 '17 at 16:09
  • I assume you mean the IP address, not IP (Internet Protocol), it is using. If the device with a static IP address gets reset, then it either has a predefined IP address, doesn't have an IP address, or it requests one from a DHCP server if one is available. Probably only if it gets one from a DHCP server could you reach the device by IP address. If the switch gets wiped, then the device IP address probably doesn't really matter since it will probably not match the network it is now on, meaning it is unreachable by IP address, anyway. knowing the address on the wrong network doesn't really help. – Ron Maupin Nov 08 '17 at 17:04
0

It looks like you can configure Link Layer Discovery Protocol on endpoint computers, Windows 10, and other Windows systems as well.

This would be your best bet as LLDP would give you rich info.

Ronnie Royston
  • 4,379
  • 1
  • 12
  • 28
0

You mention it's a multilayer switch but don't say if the VLAN this device is in has an associated Layer 3 interface / IP on this switch. The device may be sending frames but if it doesn't have a Layer 3 interface to talk with on that VLAN, there will be no ARP entry. You could try enabling IP Device Tracking which will initiate ARP probes out the Layer 2 interface. The result is a Layer 3 address can be stored as being associated with the Layer 2 interface/ MAC, without the ARP table.

globally   --> ip device tracking 
interface  --> ip device tracking maximum 10 
show ip device tracking all
HostBits
  • 636
  • 3
  • 7
  • all vlans would have an associated vlanX internal address for routing. I only had 1 layer 3 trunk for accessing the border router – Kendrick Oct 28 '17 at 04:24