How to find a list of devices connected to my network (IP's and MACs)

  • I am trying to get a list of the devices that are connected to my Cisco (Catalyst 2960) switch. Preferably through SNMP. Here is what I've already done:

    I was able to retrieve the ARP table from the switch (through SNMP walking OID on the switch). However this does not reflect the 'live' set of IP's since ARP does not update when devices go offline. In other words, when I restart a device and it acquires a new IP address (dynamic) I end up with the old IP address also listed in my ARP table, even though that IP is not currently on the network.

    Is there any way for me to find that 'live' list through the switch, preferably avoiding the ARP table?

    P.S. I cannot continuously ping the devices to determine their status, I'm working under very low bandwidth conditions.

    Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.

    Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer.

  • Is a broadcast ping to the subnet from the SVI on the switch (which is low-bandwidth), and using show mac address-table dynamic out of the question?

    some-switch#show mac address-table dynamic
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    ----    -----------       --------    -----
       1    000f.257b.ba3b    DYNAMIC     Gi1/0/49
       1    0011.254f.a5be    DYNAMIC     Gi1/0/49
      56    0000.0c57.aa00    DYNAMIC     Gi1/0/49
      56    0004.0ff4.8cf4    DYNAMIC     Gi1/0/49
      56    0004.0af4.c8fb    DYNAMIC     Gi1/0/5

    At this point, use your ARP table to map from mac-address to IP address.

    Doing this with SNMP is possible, but somewhat painful if you need to know what port each mac-address is on... use dot1dTpFdbAddress to grab the mac-addresses, dot1dBasePortIfIndex to map to interface ifIndex and then ifName to map from ifIndex to a name you'll recognize.

    Could you please expand more on the first solution? How can I do that? ... Also, dot1dTpFdbAddress and dot1dBasePortIfIndex are not returning anything :/

    I'm assuming you know how to show the mac-address table from the CLI... regarding the ping, if your subnet is `` then a broadcast ping for that subnet is `ping`... regarding snmp, I said it's painful :-)... are you sure you polled with `snmpbulkwalk -v 2c -m BRIDGE-MIB -c @ dot1dTpFdbAddress`? In other words, if your community is "PUBLIC" and you're polling Vlan 501, poll BRIDGE-MIB with the community "[email protected]"

    Note: any remotely secured device will not answer a broadcast ping.

    @RickyBeam, that's why I said he needs to do it from the switch with the connected SVI... I also realize that Windows doesn't answer pings by default... so this is better than nothing, but admittedly not a 100% solution... we're dealing with some suboptimal constraints in this problem

    @AJJ. have you tried polling with `` instead of `dot1dTpFdbAddress`? It is possible that your SNMP manager is not loaded with BRIDGE-MIB in a location where you can access it easily...

    Thank you Mike. I was able to poll dot1dTpFdbAddress. However, it did not give me a 'live' table, I disconnected some devices from the network and connected others, but the table never changed. I ended up with 2 different tables, one from dot1dTpFdbAddress and the ARP table, neither of those represented the real network.

    @AJJ. The mac-address table has a five-minute cache time by default, were those devices disconnected less than five minutes? If you need real-time info, you'll need to check `ifOperStatus`, which means the convoluted MIB value mapping exercise I mentioned in my answer. If these are all machines using DHCP, you might consider DHCP snooping as suggested by GeneralNetworkError below

  • DHCP Snooping for both the L3 IP and L2 MAC addresses if you seek to just identify your clients using dynamic addresses. This is used for security to block rogue DHCP servers and only allow packets to be received on switchports with valid DHCP addresses that were offered and requested (i.e., actually in use).

    Enable dhcp snooping globally for your VLANs you want to watch

    ip dhcp snooping vlan 10,20,30,40,50
    no ip dhcp snooping information option
    no ip dhcp snooping verify mac-address
    ip dhcp snooping

    Be sure to identify your trusted interfaces that have your DHCP servers behind them using:

    interface xy/z
     ip dhcp snooping trust

    Sample bindings table of IP-MAC addresses:

    s-oc2-3h-s1#sh ip dhcp snooping binding
    MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
    ------------------  ---------------  ----------  -------------  ----  --------------------
    B4:B5:2F:DB:85:C6      254427      dhcp-snooping   30    FastEthernet1/0/30
    3C:07:54:3F:91:CB      224542      dhcp-snooping   30    FastEthernet2/0/42
    6C:62:6D:77:95:1A      256986      dhcp-snooping   30    FastEthernet1/0/17
    B4:B5:2F:2D:27:37      149352      dhcp-snooping   30    FastEthernet2/0/30
    B4:B5:2F:DB:85:C2      207629      dhcp-snooping   30    FastEthernet1/0/16

    See the ciscoDhcpSnoopingMIB for SNMP access to these objects. OID

  • If IPs are dynamic, then you should have dhcp logs to get mac-ip pairs. then with SNMP you can try to understand what kind of devices you have. but keep in mind, that you have to have snmp configured and allowed from your station. If you are talking about windows machines, then it is easier to use powershell to grab information about workstations. You can also try to use nmap to scan the whole subnet and to get more information about its inhabitants.

    How can I fetch the DHCP logs?

    it depends on your dhcp server vendor...

  • This will probably bust your requirements concerning bandwidth, but you could use a snmp discovery sw like "the dude". You would need to set community and private vlans appropriately in order for the snmp traffic to get back to the server. If you are interested in this solution I could give you more details as to vlans and sw setting required.

    I think "the dude" just fixed some typos in your post :-)... This happens to me a lot when I post from my HTC... were you using a cell phone?

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM