The other day our Cisco Unity admin was inquiring about a device that had picked up an IP address, but wasn't registering with the system like a typical Cisco phone. He asked me to find out what the device was. Ooohhh....I do like a good mystery!!
First of all we need either the MAC or IP. In this case we knew the IP. Great! I can ping the address from my switch and maybe create an arp entry if there's not already one.
Access1# ping 10.11.12.13
Sending 5, 100-byte ICMP Echos to 10.11.12.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/68/75 ms
Access1#
Access1# s arp | i 10.11.12.13
Access1#
No arp entry for that IP?? Maybe it's on a different vlan?
Access1# s arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.168.1 129 0025.8e38.2390 ARPA Vlan1
Internet 10.44.66.10 - 0010.12bd.9c41 ARPA Vlan2
Internet 10.44.55.1 18 0025.8e38.2390 ARPA Vlan2
Access1#
I see two of these MACs are the same, that must be our gateway device. Hopefully you already know what that is. I'll try the arp entry there...
DistroLayer1# s arp | i 10.11.12.13
Internet 10.11.12.13 0 dc22.03f8.362f ARPA Vlan3
DistroLayer1#
Yes!!! Got the IP, the MAC, now we need to find the port. (Notice it was on a different vlan. ) Back to our access layer switch. It didn't have an arp entry, but, it will have a port associated with the MAC address....
Access1# show mac address-table | i dc22.03f8.362f
vlan3 dc22.03f8.362f STATIC Fa3/0/41
Access1#
Access1# s run int Fa3/0/41
Building configuration...
!
interface FastEthernet3/0/41
description Non-Power Device
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security violation restrict
power inline never....
----
----
Well, if it is a phone, it will need to have that "power inline never" command removed.
Let's run this command to see if it is a Cisco POE device...
Access1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
----
----
SEPDC2203F8362F Fas 3/0/41 179 H ATA 186 Port 1
SEP0026CADF1D40 Fas 2/0/38 120 H P M IP Phone Port 1
SEP0023EC86AE60 Fas 1/0/44 169 H ATA 186 Port 1.....
----
----
Eureka!!! It's an ATA (analog telephone adapter). At long last we've found our mystery device and we didn't even have to pick up the phone!
Now you're probably asking, "Why didn't the arp entry exist on the access layer switch if the device is plugged in there?" Don't forget that the arp broadcast domain stops at the gateway, which in my case is a distribution layer switch doing layer 3 (ip route command). So, if you need to ping or otherwise communicate with a device on another subnet or vlan the packets will have to get routed. The arp entry will exist on the device doing the routing.
That's why if you ping multiple devices on your network and look in your arp table (arp -a) you'll often see multiple IPs listed with the same MAC address listed. That's your local gateway.
Another tip, don't get fooled by a trunk ports to other switches. As in our case here, once I found the MAC on the distro layer switch, I could have started tracing it back to the source...
DistroLayer1# show mac address-table | i dc22.03f8.362f
vlan 3 dc22.03f8.362f DYNAMIC Gi0/2
DistroLayer1#
DistroLayer1# show cdp neighbors | i Gi0/2
DistroLayer1#
(Sometimes commands have different interface syntax...)
DistroLayer1# show cdp neighbors | i Gig 0/2
Device ID Local Intrfce Holdtme Capability Platform Port ID
3825.domain.com Gig 0/22 176 R S I 3825 Gig 0/0.1
Access1 Gig 0/2 154 S I WS-C3750- Gig 1/0/4
DistroLayer1#
This shows me that Gig 1/0/4 on my distro layer switch is connected to Gig 0/2 on my access layer switch. You can guess that these are trunk ports, but, "show interface trunk" would have shown us the trunk ports on each switch. I didn't bother doing this earlier since I knew no end devices were plugged into the distro layer switch.
Hope this helps! Email this link to a friend, thx.
I use trace mac ip 'ip_gateway' 'ip_of_traced_device' command on the core switch/l3 device
ReplyDelete