Wednesday, 30 July 2008

Tracking down a server

So now I have moved to a much larger network and only have access to the network and not to any servers I face a whole host of new hurdles that I have to overcome. One of those hurdles is trying to locate which switch a server sits on. So far I have developed the method below however there are some areas I need some advice especially on the CatOS stuff.

I needed to track down the server Nike. So first idea was to trace route to the server. So on to my trusty Windows laptop and enter the trace command doh this is not a Cisco box. Anyhow I remembered the Windows command as below:

C:\Program Files\Support Tools>tracert nike

Tracing route to nike.ciscoferret.local[]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms vl101-ESP-MAD-009-SW102-WEST1 []
2 <1 ms <1 ms <1 ms ge1/1-ESP-MAD-009-SW110-CORE []
3 <1 ms <1 ms <1 ms fe2/0-ESP-MAD-009-RTR01 []
4 1 ms 1 ms 1 ms vl100-ESP-MAD-010-sw01-w1-msfc []

5 1 ms 1 ms 1 ms vl952-ESP-MAD-010-sw02-core []
6 7 ms 1 ms 1 ms vl963-ESP-MAD-010-sw04-core []
7 1 ms 1 ms 1 ms nike.ciscoferret.local[]

Trace complete.

So now I had my trace file and more importantly I had the IP address of the last Layer 3 device before my server. So next thing is to telnet to the last Layer 3 device before my server.

C:\Program Files\Support Tools>telnet

Then I ran a show arp to include the IP address of the server as below:

ESP-MAD-010-SW04-CORE#show arp | in
Internet 5 0011.54dd.3382 ARPA Vlan510

Now I had the MAC address it was time to find out what interface it had been learnt on.

ESP-MAD-010-SW04-CORE#show mac-address-table add 0011.254a.2833
Legend: * - primary entry
age - seconds since last seen
n/a - not available

vlan mac address type learn age ports
* 510 0011.54dd.3382 dynamic Yes 0 Gi6/1
* 510 0011.54dd.3382 dynamic Yes 0 Gi6/1

So I knew the interface the next thing was to figure out who was connected to that interface. So this is where trusty CDP comes in handy (that is if you are running it, not sure what I would do if it was not enabled, anyone got any bright ideas?)

ESP-MAD-010-SW04-CORE#show cdp neighbors gigabitEthernet 6/1 detail
Device ID: TBP06360198(ESP-MAD-010-SW02-NSR)
Entry address(es):
IP address:
Platform: WS-C6509, Capabilities: Trans-Bridge Switch IGMP
Interface: GigabitEthernet6/1, Port ID (outgoing port): 3/6
Holdtime : 169 sec

Version :
WS-C6509 Software, Version McpSW: 7.3(1) NmpSW: 7.3(1)
Copyright (c) 1995-2002 by Cisco Systems

advertisement version: 2
VTP Management Domain: 'ACB_Module_9'
Native VLAN: 954
Duplex: full


Now I had my neighbor time to telnet to my neighbor and carry on the task of ferreting out which switch the server was located on.

Trying ... Open

Whoops this switch was running CatOS and this is where things got difficult for me. My CatOS is not that good so the best method I could come up with is as follows. If anyone has a better way which I am sure they do please let me know.

I did a show on the VLAN which I had learnt above from the show mac-address-table add 0011.254a.2833 command.

ESP-MAD-010-SW01-NSR (enable) show cam dynamic 510
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry

VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
510 00-60-56-ae-49-3f 3/5 [ALL]
510 00-14-5e-7b-18-26 3/5 [ALL]
510 00-60-56-9e-44-82 3/5 [ALL]
510 00-11-25-9d-57-47 3/5 [ALL]
510 00-12-79-9e-38-2f 3/5 [ALL]
510 00-60-56-ae-75-46 3/5 [ALL]
510 00-60-56-ae-48-a6 3/5 [ALL]
510 00-29-6b-ca-9b-50 7/26 [ALL]
510 00-14-5e-7b-18-27 4/31 [ALL]
510 00-60-56-82-3c-25 3/5 [ALL]
510 00-0d-60-4e-6f-18 6/28 [ALL]
510 00-60-56-ae-22-a9 3/5 [ALL]
510 00-14-5e-bd-5f-d1 3/5 [ALL]
510 00-11-25-4a-17-c8 6/39-40 [ALL]
510 00-11-25-9d-50-bd 3/5 [ALL]
510 00-14-5e-36-6b-58 3/5 [ALL]
510 00-60-56-ae-6d-18 3/5 [ALL]
510 00-14-5e-bd-5f-d0 3/5 [ALL]
510 00-11-25-4a-17-c9 3/5 [ALL]
510 00-0d-60-9d-16-fd 3/5 [ALL]
510 00-14-5e-36-6b-59 3/5 [ALL]
510 00-29-6b-f5-79-c3 7/39-40 [ALL]
Do you wish to continue y/n [n]? y
510 00-60-56-ae-5b-5e 3/5 [ALL]
510 00-14-5e-ec-ed-3c 3/5 [ALL]
510 00-60-56-9e-00-1f 3/5 [ALL]
510 00-14-5e-7b-89-f6 5/19 [ALL]
510 00-60-56-ae-6c-1f 3/5 [ALL]
510 00-0d-60-9c-2d-7a 8/19 [ALL]
510 00-60-56-ae-21-07 3/5 [ALL]
510 00-11-25-9d-57-db 3/5 [ALL]
510 00-1b-54-bb-d3-b6 3/5 [ALL]
510 00-60-56-ae-7e-2d 3/5 [ALL]
510 00-11-25-9d-56-8d 3/5 [ALL]
510 00-60-56-9e-76-47 3/5 [ALL]
510 00-60-56-9e-3a-0b 3/5 [ALL]
510 00-60-56-ae-3d-9e 3/5 [ALL]
510 00-14-5e-bc-a7-67 3/5 [ALL]
510 40-00-40-10-10-12 3/5 [ALL]
510 00-11-25-9d-51-7b 3/5 [ALL]
510 00-11-25-9d-55-f7 3/5 [ALL]
510 00-0d-60-9c-2d-ba 8/19 [ALL]
510 00-60-56-ae-2f-af 3/5 [ALL]
510 00-60-56-ae-1d-37 3/5 [ALL]
510 00-0d-60-4e-66-d6 6/28 [ALL]
Do you wish to continue y/n [n]? y
510 00-0d-60-4e-6a-f8 6/28 [ALL]
510 00-60-56-82-7c-91 3/5 [ALL]
510 00-14-5e-bd-1c-de 3/5 [ALL]
510 00-11-54-dd-33-82 6/39-40 [ALL]
510 00-14-5e-36-6a-be 3/5 [ALL]
510 00-60-56-ae-73-5b 3/5 [ALL]
510 00-0d-60-9c-27-b2 8/19 [ALL]
510 00-60-56-ae-42-b7 3/5 [ALL]
510 00-14-5e-bd-1c-df 3/5 [ALL]
510 00-0d-60-4e-6f-ea 6/28 [ALL]
510 00-60-56-ae-59-54 3/5 [ALL]
510 00-11-25-9d-56-69 3/5 [ALL]
510 00-1a-64-63-8d-2c 3/5 [ALL]
510 00-0d-88-c6-87-14 6/29 [ALL]
510 00-0d-88-c6-8b-90 8/19 [ALL]
510 00-12-79-9e-64-82 3/5 [ALL]
510 00-0d-60-4e-6a-74 6/28 [ALL]
510 00-0d-60-4e-6e-f8 6/28 [ALL]
510 00-60-56-9e-52-47 3/5 [ALL]
510 00-10-18-06-05-04 3/5 [ALL]
510 00-60-56-ae-4f-62 3/5 [ALL]
510 00-29-6b-16-45-25 7/47-48 [ALL]
Do you wish to continue y/n [n]? y
510 00-12-79-9e-64-83 4/48 [ALL]
510 00-29-6b-f5-ea-5b 6/25 [ALL]
510 00-60-56-ae-09-43 3/5 [ALL]
510 00-60-56-ae-49-03 3/5 [ALL]

I took the output I received above and pasted it in to wordpad. Then I did a find on the MAC address but first I had to do a conversion from the dotted decimal MAC address notation of IOS to the dashes of CatOS. So I actually did a find on 00-11-54-dd-33-82. From this I found MAC address 00-11-54-dd-33-82 was being learnt on interface 6/39. So a show cdp neighbors 6/39 detail as below showed me what switch was connected to this interface.

ESP-MAD-010-SW01-NSR (enable) show cdp neighbors 6/39 detail
Port (Our Port): 6/39
Device-ID: BLC005MAD-BCSM1
Device Addresses:
IP Address:
Holdtime: 127 sec
Capabilities: SWITCH IGMP
Cisco Internetwork Operating System Software
IOS (tm) CIGESM Software (CIGESM-I6Q4L2-M), Version 12.1(14)AY4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 20-Dec-04 10:20 by myl
Platform: cisco OS-CIGESM-18
Port-ID (Port on Neighbors's Device): GigabitEthernet0/17
VTP Management Domain: unknown
Native VLAN: 508
Duplex: full
System Name: unknown
System Object ID: unknown
Management Addresses: unknown
Physical Location: unknown
ESP-MAD-010-SW01-NSR (enable)

The switch connected to interface 6/39 was a blade centre so I telneted to the IP address I learnt from the
show cdp neighbors 6/39 detail command above. Then I did a show mac-ad address 0011.254a.2832 and it showed me the blade port the server was connected to.

BLC005MAD-BCSM1#show mac-ad address 0011.254a.2832
Mac Address Table

Vlan Mac Address Type Ports
---- ----------- -------- -----
510 0011.254a.2832 DYNAMIC Gi0/8
Total Mac Addresses for this criterion: 1

Now as I said I am sure this is not the easiest or most efficient way to track down a server. So as this skill is really important to me in my current job if anyone has a better way then please let me know. Any help would be most appreciated.


Derek said...

A few years ago I tackled this issue by creating a set of perl scripts that would go to each of the switches and capture the MAC table (with port numbers) then go to the routers and grab the ARP table. Than I join the two tables on the mac. I know have a list of every MAC with IP address and Switch and Port number. I topped it off with a web page to search for Host Name, IP Addr, MAC, or port.

The data collection ran twice a day and I archived the old lists for auditing.

The Ferret said...

Any chance you still have that Perl script Derek? It would be most useful if you did.

Derek said...

No, I don't work there anymore. The one difficulty I had was the team
that maintained the routers and switches would change the DNS names or
add new ones and wouldn't let me know so I could add them to my lookup

I believe CiscoWorks has this functionality.

It's not hard with Perl and SNMP.

Derek said...

There is a script out there called CAMMER.PL that does this.

I also see that Solar Winds has a tool in their Engineer's tool kit for this. If you support Cisco networks, your should get the toolkit.

alloytm said...

show mac-ad | inc the.mac.address

this would filter out the entry without using the wordpad.

The Ferret said...

Does this work on CatOS? I will give it a try and see what happens.