How to find a list of devices connected to my network (IP's and MACs)
I am trying to get a list of the devices that are connected to my Cisco (Catalyst 2960) switch. Preferably through SNMP. Here is what I've already done:
I was able to retrieve the ARP table from the switch (through SNMP walking OID
18.104.22.168.22.214.171.124.1.2on the switch). However this does not reflect the 'live' set of IP's since ARP does not update when devices go offline. In other words, when I restart a device and it acquires a new IP address (dynamic) I end up with the old IP address also listed in my ARP table, even though that IP is not currently on the network.
Is there any way for me to find that 'live' list through the switch, preferably avoiding the ARP table?
P.S. I cannot continuously ping the devices to determine their status, I'm working under very low bandwidth conditions.
Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
Is a broadcast ping to the subnet from the SVI on the switch (which is low-bandwidth), and using
show mac address-table dynamicout of the question?
some-switch#show mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 000f.257b.ba3b DYNAMIC Gi1/0/49 1 0011.254f.a5be DYNAMIC Gi1/0/49 56 0000.0c57.aa00 DYNAMIC Gi1/0/49 56 0004.0ff4.8cf4 DYNAMIC Gi1/0/49 56 0004.0af4.c8fb DYNAMIC Gi1/0/5
At this point, use your ARP table to map from mac-address to IP address.
Doing this with SNMP is possible, but somewhat painful if you need to know what port each mac-address is on... use dot1dTpFdbAddress to grab the mac-addresses, dot1dBasePortIfIndex to map to interface
ifNameto map from
ifIndexto a name you'll recognize.
Could you please expand more on the first solution? How can I do that? ... Also, dot1dTpFdbAddress and dot1dBasePortIfIndex are not returning anything :/
I'm assuming you know how to show the mac-address table from the CLI... regarding the ping, if your subnet is `172.16.1.0/24` then a broadcast ping for that subnet is `ping 172.16.1.255`... regarding snmp, I said it's painful :-)... are you sure you polled with `snmpbulkwalk -v 2c -m BRIDGE-MIB -c @ dot1dTpFdbAddress`? In other words, if your community is "PUBLIC" and you're polling Vlan 501, poll BRIDGE-MIB with the community "[email protected]"
@RickyBeam, that's why I said he needs to do it from the switch with the connected SVI... I also realize that Windows doesn't answer pings by default... so this is better than nothing, but admittedly not a 100% solution... we're dealing with some suboptimal constraints in this problem
@AJJ. have you tried polling with `126.96.36.199.188.8.131.52.3.1.1` instead of `dot1dTpFdbAddress`? It is possible that your SNMP manager is not loaded with BRIDGE-MIB in a location where you can access it easily...
Thank you Mike. I was able to poll dot1dTpFdbAddress. However, it did not give me a 'live' table, I disconnected some devices from the network and connected others, but the table never changed. I ended up with 2 different tables, one from dot1dTpFdbAddress and the ARP table, neither of those represented the real network.
@AJJ. The mac-address table has a five-minute cache time by default, were those devices disconnected less than five minutes? If you need real-time info, you'll need to check `ifOperStatus`, which means the convoluted MIB value mapping exercise I mentioned in my answer. If these are all machines using DHCP, you might consider DHCP snooping as suggested by GeneralNetworkError below
DHCP Snooping for both the L3 IP and L2 MAC addresses if you seek to just identify your clients using dynamic addresses. This is used for security to block rogue DHCP servers and only allow packets to be received on switchports with valid DHCP addresses that were offered and requested (i.e., actually in use).
Enable dhcp snooping globally for your VLANs you want to watch
ip dhcp snooping vlan 10,20,30,40,50 no ip dhcp snooping information option no ip dhcp snooping verify mac-address ip dhcp snooping
Be sure to identify your trusted interfaces that have your DHCP servers behind them using:
interface xy/z ip dhcp snooping trust
Sample bindings table of IP-MAC addresses:
s-oc2-3h-s1#sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- B4:B5:2F:DB:85:C6 172.17.3.29 254427 dhcp-snooping 30 FastEthernet1/0/30 3C:07:54:3F:91:CB 172.17.3.26 224542 dhcp-snooping 30 FastEthernet2/0/42 6C:62:6D:77:95:1A 172.17.3.37 256986 dhcp-snooping 30 FastEthernet1/0/17 B4:B5:2F:2D:27:37 172.17.3.22 149352 dhcp-snooping 30 FastEthernet2/0/30 B4:B5:2F:DB:85:C2 172.17.3.18 207629 dhcp-snooping 30 FastEthernet1/0/16 ...
See the ciscoDhcpSnoopingMIB for SNMP access to these objects. OID 184.108.40.206.220.127.116.11.380
If IPs are dynamic, then you should have dhcp logs to get mac-ip pairs. then with SNMP you can try to understand what kind of devices you have. but keep in mind, that you have to have snmp configured and allowed from your station. If you are talking about windows machines, then it is easier to use powershell to grab information about workstations. You can also try to use nmap to scan the whole subnet and to get more information about its inhabitants.
This will probably bust your requirements concerning bandwidth, but you could use a snmp discovery sw like "the dude". You would need to set community and private vlans appropriately in order for the snmp traffic to get back to the server. If you are interested in this solution I could give you more details as to vlans and sw setting required.