0

I have had a look through the related questions for this issue and was not able to pick up a solid answer. I'm getting closer via my poor use of google-fu, but I'd like to ask you guys as well (I'd also like to apologise in advance for the length of this question! Wasn't sure how much background info to give).

tl;dr: have IP, have MAC address, cannot resolve hostname, how can I find the device?

I had recently installed a Cisco WAP-4410N on my LAN via a Linksys SRW2024 switch, with the IP 10.0.0.249. This was working fine for a couple of days until I realised that I forgot to change timestamp during setup. Logged in via the web interface, made the change and then saved settings.

Now, instead of the page reloading with my new date and time, I got a 404 not found page in its place... weird. I could still ping 10.0.0.249 fine, and I was still getting throughput on my wireless devices, so I figured I must have toggled a option somewhere by accident.

Pulled the WAP off the switch and plugged straight into a box setup on the same IP range as the WAP and switch. Logged in no problem. Hmmm, plugged it back in to the switch, 404'd again. Plugged the WAP back into the box, changed the IP to 10.0.0.5. Can now log in the WAP from the local box and the switch, fine whatever, great.

However, 10.0.0.249 is still responding to a ping, meaning another device on the network has somehow gotten a hold of it (which would possibly explain why I could not access web interface on my WAP (not sure how though if the WAP still allowed throughput on wireless devices)).

I have the DHCP service turned off on the Win2k3 server. I've tried nbtstat -a 10.0.0.249, but get a "No hostname found" response, leading me think the device is a print server or similar network appliance without a pc hostname. I have also tried to telnet to the IP on ports, 21, 80, or 443 with no luck. arp -a (or A) 10.0.0.249 gives "No ARP Entries Found" (though I suspect I may not be using the arp command correctly).

I've just loaded wireshark and sent a ping through to 10.0.0.249, and by inspecting the packet line by line I've found the following (Dst: = possibly the device (looks like an IPv6 address?) & MAC address):

Ethernet II, Src: D-Link_aa:4e:71 (00:1e:58:aa:4e:71), Dst: Cisco_1e:30:a0 (00:1b:2a:1e:30:a0)

We do also have a Cisco 2600 series router on an IP right next to 10.0.0.249. Can someone tell me what I'm doing wrong and put me out of my misery?

Thanks,

EDIT

Here's the table that appears after I execute 

SRW224G4# show bridge address-table
Aging time is 300 sec

Vlan        Mac Address       Port     Typ 
-------- --------------------- ------ ----------
1       <Stripped>            e2    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>            g4    dynamic
1       <Stripped>            e2    dynamic
1       <Stripped>            e9    dynamic
1       <Stripped>            g1    dynamic
1       <Stripped>            e3    dynamic (Here's the MAC address for my mystery IP)
1       <Stripped>            e1    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
1       <Stripped>            g3    dynamic
1       <Stripped>            e1    dynamic
1       <Stripped>           e24    dynamic
Markovs
  • 43
  • 1
  • 8

2 Answers2

1

The Linksys is a managed switch, you should be able to issue an ARP command from the command line and figure out what MAC address that IP is coming from. From there, look at the MAC table to figure out if its behind a port directly, or behind the access point dedicated to your port.

Start with the switch.

Tom

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • Thanks Tom, that's got me off to a good start. Will update thread with results. – Markovs Nov 30 '10 at 01:09
  • I've managed to log into the switch and load up the lcli. Used the command: show bridge address-table vlan1 to bring up the table Tom suggested. From here I was able to see which MAC address was assigned to what port on the switch. Can someone explain why the ports are showing up multiple times against the Mac addresses though? The LAN has been setup only static IPs. – Markovs Nov 30 '10 at 06:16
  • The same port showing up with multiple MAC addresses indicate that you have hubs or switches out of of those ports. – Vatine Nov 30 '10 at 09:57
  • D'oh! Right, should have thought that through a little bit more before I posted. Thanks, Vatine. The switch is basically at full capacity, but the table above seems to only be showing activity on ports connected to network devices (hubs/switchs/routers/servers), not workstations. I'm still not quite sure how the device on port e3 manged to get itself a new internal IP (a Cisco 1800 series backup router), gonna have to call the Telco that supplied it to make sure everything still looks right on their end. – Markovs Nov 30 '10 at 22:33
0

As Tom said, start with the switch. Another indicator could be simply pinging hosts on the network -- wirelessly connected hosts have much more latency than wired ones.

If your WAP is NAT'ing, you could expect all packets to come from mystery machine to come from the MAC address of the AP.

C.J. Steele
  • 156
  • 3