2

I'm continuing to lock down my network gear using the DISA standards. After implementing an ACL on a multi-layer switch that denies access to unknown subnets, the syslog server started recording two IP addresses about every 7 minutes that are being blocked. The IP addresses are in the 169.254.0.0 /16 network. This seems to indicate that the machines used a link local address, probably because they didn't have an IP address set (no DHCP on this isolated network). Without physically touching each machine is there a way to find out which port(s) these packets are coming in on? The multi-layer switch is a stack of Cisco 3750Gs with cross-stack ether-channel to 4 Cisco 2960Gs.

murisonc
  • 2,968
  • 2
  • 21
  • 31

2 Answers2

1

Usually your intrusion detection log for a rogue IP address would list the MAC, but since it does not, you can try the following.

Log onto your Cisco Device. Ping the rogue IP. Of course if you ACL is blocking access, this might be problematic.

ping 169.254.X.X

This will hopefully get the device's MAC address into the ARP table of the Cisco.

show arp | include 169.254.X.X

This will list the MAC address as well as the IP it is associated with. It will look something like: 

Internet 169.254.X.X 0 2222.aaaa.bbbb ...

Where 2222.aaaa.bbbb is the MAC address.

Finally run:

show mac-address-table dynamic | include 2222.aaaa.bbbb

To show the port. Where 2222.aaaa.bbbb is the mac address.

jgv999
  • 56
  • 3
  • I may have missed the MAC address in the log. I'll have to double check that. It was detected with a 'deny any log' statement at the end of the ACL to a Kiwi syslog server. I tried to ping it from the switch but got nothing. – murisonc Nov 24 '10 at 02:11
  • you can (probably) run "show mac-address-table address 2222.aaaa.bbbb" (or "sh mac addr ...", as I usually shorten IOS commands, relying on the CLI parser to do its job), instead of filtering. – Vatine Nov 25 '10 at 12:22
  • Finally back at work. Trying to ping the rogue machines didn't work; no response and the arp table didn't get populated. – murisonc Nov 30 '10 at 14:13
  • Just found this somewhere else, may work for you... traceroute mac xxxx.xxxx.xxxx yyyy.xxxx.xxxx (from mac addr -> to mac addr) – jgv999 Jan 30 '11 at 23:37
0
show mac-address-table dynamic

That will show you MAC-to-port mappings.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I tried that but I don't know the MAC addresses of these two machines. I also tried show ip arp but it only shows the IP addresses that are in my 4 different valid subnets (all starting with 199). – murisonc Nov 23 '10 at 23:30