Reporting

Reply

duplicate mac address switchport

Authority
Posts: 18
1949     0

How do I pull a report that shows duplicate mac addresses on a switchport?  I'm looking to find all unmanaged switches on an enterprise network.  Is there a way that you could report by attached device type and have infoblox identify what is attached?

Re: duplicate mac address switchport

Authority
Posts: 72
1949     0

You can report on all switches and what is attached to them and we'll display MAC, IP and in certain cases user.  If the same MAC moves from one switch port to another, we'll report on that also.  Would you clarify that is what you want?  I'm not following the request for "unmanaged switches".

 

Dave

@DaveSignori

Re: duplicate mac address switchport

Authority
Posts: 18
1949     0

an unmanaged switch is a dumb switch, a switch a user would buy from best buy like a linkedin switch, not a cicso, or hp managed switch that runs ios.  I'm looking for a way to find a managed switch, that has duplicate mac's behind one port, which would suggest that a unmanaged switch is connected to that access port, and houses multiple network devices behind itself, and is attached to an access port on a managed switch - like a cisco switch, where you can set ports to trunk/access port.  Is there a report, or way to run this if your managed switches are already discovered?

Re: duplicate mac address switchport

Authority
Posts: 72
1949     0

Got it.  Which Infoblox products do you have?  Network Insight?  NetMRI?

@DaveSignori
Highlighted

Re: duplicate mac address switchport

Authority
Posts: 18
1949     0

we have an insight

Re: duplicate mac address switchport

ksharif Employee
Employee
Posts: 2
1950     0

 

This is somewhat of a loaded question.... the simple answer is no, you cannot see the device either in the Devices view or along the IPAM space.

 

The reason is, as far as Network Insight is concerned, the world is IP centric, meaning that it's view is essentially sees the world at layer 3 and your best buy 8 port switch, is really 'bridging' at layer 2 and therefore lives within the same IP address space.

 

That said, there are plenty of situations where we do identify this sort of virtual daisy chain, such as when a switch is plugged into a SIP phone and then into an end host. For those situations where we support the hardware... we recognize the phone.

 

As for identifying the hidden device.... based on the traffic in ARP and or Route tables, we can gleam the fact that any given interface on a managed switch, is attached to multiple MAC addresses down the line (assuming the switch isn't claiming it's a trunk port), we can flag this given certain criteria (like the other end isn't a VM host server) and inferr there must be some other device in between multiplexing those MAC addresses.

 

As a matter of fact, we do just that in NetMRI, we have a network issue called 'DownstreamHuborSwitch' which is raised in exactly just this case. For those customers whome have purchased NCCM, they can then have a triggered job take some sort of remedial action... say turn off the port and change the description as to why the automated action was taken. It would be wise to restrict this sort of logic to CIDR's of known end hosts... like say a dormitory for a college where you don't want the users adding random equipment.

 

This same interface information could be inferred off the interface information stored in the end host history report within Network Insight (more specifically the 'switch / device' MAC Address showing up aside many end host entries). The caveat being you must have the report server on your grid.

 

So the not so simple answer is, you can probably find a way to pretty accuratly flag suspisious ports in NI.

Re: duplicate mac address switchport

Authority
Posts: 18
1950     0

I have a reporting server on our Grid, and an insight box that discovers our networks and devices.  I just couldn't find a report to pull that would show me that type of information.  What is the specific name of hte report, or do I need ot download, configure this report? 

Re: duplicate mac address switchport

[ Edited ]
ksharif Employee
Employee
Posts: 2
1950     0

So I took a look as the reports themselves and the fields are a 'little' different than I described in my first post.

 

The report you are interested in is the 'End Host History' report. Clone this before you begin working and you can edit it in 'search' mode.

 

The fields you are interested in are (key names in the schema are in ()):

 

  • MAC Address (end_host_mac_address)
  • IP Address (end_host_ip_address)
  • Device Name (switch_name)
  • Device Interface (switch_interface)

 

and remove the 'dedup' (de-duplication) entry at the top and edit the lists to include only the above values index keys. You can also remove the entire 'rename' section if you like but, alter the table statement to match your changes.

 

 

Once you have the query looking as you want it and it's returning data, start looking for the data scenario where you have multiple end hosts on the same switch_interface... that's your indication that there is bridging going on at the layer 2 level.

Re: duplicate mac address switchport

Authority
Posts: 18
1950     0

Is that the specific name of the canned report?  I am unable to find that in my default list of canned reports on our reporting server.

Showing results for 
Search instead for 
Do you mean 

Recommended for You