2

We just had our third incident of a duplicate MAC address from provided hardware in 2 years. I know it's possible to override the MAC in software, but detecting it during troubleshooting can take ages in a large network.

On Linux, how can I monitor for duplicate MAC addresses across a whole network so that I can send it to our notification system to be rectified more quickly?

tudor -Reinstate Monica-
  • 1,805
  • 18
  • 36
  • Keep in mind that a single system will usually only really see MAC addresses when in the same broadcast domain (the same VLAN / subnet /network segment ) as the offender, but consider https://en.wikipedia.org/wiki/Arpwatch if your switches don't support some duplicate MAC alerting. – HBruijn Nov 16 '18 at 08:21
  • 1
    @HBruijn I am not sure how useful arpwatch would be for actually troubleshooting. Sure it would probably notice a duplicate, but doesn't give you a lot beyond that. I suspect an approach that pulls data from your switches/network equipment would be far more useful. – Zoredache Nov 16 '18 at 08:53
  • This is almost impossible to do without managed switches. If you do have managed switches it really depends on what features those switches have. – kasperd Nov 16 '18 at 15:02

1 Answers1

4

Do you have managed switches? I suspect my approach might be to periodically pull the mac tables (cam table) from all your switches/network devices and then store them in some kind of database or something where you can track which mac addresses are being used on which switch/ports. There are many tools that could be used to connect to various switches and pull data. From a Linux system perhaps you could gather data using snmp, netmiko, or maybe an ansible playbook that collected and store the data periodically.

Depending on the network hardware there might be some way to log learned mac address to port assignments to a syslog server if you enable the correct logging options. That would almost certainly be a good option, and enabling a syslog server on a Linux box to receive the logs should be very easy.

Depending on your switch hardware+software there is functionality in higher end switches for security to prevent mac addresses from being spoofed or moving too quickly between ports. Take time to look at your switches and see what your switches can do to solve this.

If you want to go all out and you have higher end network equipment there is ways you can require systems to authentication themselves via certificate or other means. Computers could be set to not join the work, or be shunted off to a sandbox vlan or something if they fail authentication.

Zoredache
  • 130,897
  • 41
  • 276
  • 420