Hello all,
We are facing a situation at my work
place and I would appreciate your inputs.
We are trying to track down a user who is
stealing an IP from our IP range. The
machine is within our network, and
behind an array of switches, all which are
behind a 6509 3rd Layer Switch (we route
on the 6509 ). We have been able to get
the MAC address of this machine, but
would like to gather more information. I
was told that there are methods to do
user tracking on Cisco gear, I am not
sure how on the 6509 and there on. We
use Cisco IOS Version 12.1(8a)E4.

Here is a summary of the above
information.
- Cisco Catalyst 6509 Switch divides the
network say into A and B
- The machine stealing the IP is in
network B.
- All machines in network B are behind
different switches (depending on their
location), which connect ultimately to the
6509. So, network B is a flat network.
The switches are mostly Cisco 3500 and
2900 series switches.
- We use IOS Version 12.1(8a)E4.

If more information is required, do please
let me know. I would appreciate any
inputs / suggestions.

Thank you,
Divyangi

From the Cisco # prompt, type in

#show arp [enter]

Hello Brian,
We have tried this, thats what yielded the
MAC address. We have a VLan setup,
and thats all we can gather from the
command.
Is there some way in which we can
gather exactly behind which switch the
machine is sitting besides a brute force
technique of looking at each individual
switch (since we have many). I am
unclear on this front, and not sure if it is
even possible to do, hence asking such
broad questions.

Thank you for your reply,
Divyangi

user who is
stealing an IP from our IP range

Can you please explain, what you mean?
stealing an IP from our IP range????

Hello Brian,
My apologies for that cryptic statement.
Our policy is to assign IP addresses
based on HW addresses. We use DHCP
for IP request and assignment, however
since specific machines get specific IPs,
you can call it psuedo-dhcp. We are
noticing traffic from a machine that is
grabbing an IP for which we have no
entry in our DHCP and DNS tables. This
is against our policy and we want to be
able to track such cases to specific users
in the future.

I hope this makes that statement clearer.

Thank you for your prompt replies.

- Divyangi

So I take it you know what device this is comimg from? did some statically assign this IP address to this device? are you sure this device is not on another subnet or VLAN?? I would check the switch and make sure it not on another VLAN.

So I take it you know what device this is comimg from? did some statically assign this IP address to this device? are you sure this device is not on another subnet or VLAN?? I would check the switch and make sure it not on another VLAN.

We are a campus setup. On running the
'show arp' command, we get to know
which VLan the IP address belongs to
(we are using VLans on the 6509). This
VLan is the dormitory side of the network,
which means many more switches and
many many student machines (personal
machines). As you can gather, that is not
much information to go by.

> So I take it you know what device this is
comimg from
-- > The machine belongs to a student,
we know the hardware address of the
machine, but not to whom that machine
belongs.

Thanks,
- Divyangi

Do don't have any idea where this machine lives? from the switch do a show mac-address-table , it should list the port where that mac address lives on then goto that port and follow the phy connection to the computer.

Thank you Brian. I hope this helps us
solve the issue.

I appreciate your help.
-- Divyangi

Sounds like you are trying to identify the end user without having to go from switch to switch to switch. If this is the case you need what is known as Cisco Works. Specifically since you are using so many switches you need the LAN Management Solution (LMS) version of Cisco Works. It will give you such detailed information without the need of physically follwing switch to switch to switch, to PC. But Cisco Works LMS ain't cheap, but it is effective. It is especially designed for enterprise level businesses. If you are interested let me know, I can get it to you below list cost (33% off).

D

Before spending a bunch of money, try LANguard Network Scanner for free here: http://www.gfisoftware.com/lannetscan/index.htm