What is the best method of locating a particular workstation on a VLAN ?
I sometimes need to do this, if a workstation IP address, shows up on an ACL Deny
- torrent use
- High bandwidth usage (Top Talkers)
-
Snort alert
The way I do it now,
- Logon to a core switch in the same VLAN
- Ping the IP address,
- Retrieve the MAC from the ARP table
- Mac address lookup to see which switch it was learned from
- logon to that switch rinse and repeat until I locate the workstation
sometimes this can take logging in to ~7 switches, there are specific challenges to this network that I can do nothing about at the moment. Huge VLANs (/16) with a few hundred users on each VLAN
in an all Cisco shop, with minimal budget using Cisco switches, there must be a more efficient way to track down host machines ?
EDIT: To add further details
Specifically I'm looking for the switch-port the user is connected to ? also some history would be great .. because my approach only works while the user is still connected, and no value when i review the logs in the morning, but the device is no longer connected.
There is no central DNS or Active Directory it is like a Guest Network, where only internet access is provided. I try to provide some management and a bit of security.
I've tried "show ip dhcp binding | inc " it gives me a strange MAC (with 2 extra characters) that is not the associated device MAC, I have not looked into this yet, but ARP is accurate and I'm more concerned with finding the switch port the offending machine is connected to.
hope this provides some clarification
Best Answer
Take a look at Layer2 traceroute (for cisco).. Cdp should be running btw...