Track an IP on your Network

Who has never received the following question from a colleague:
- Hey, the network guy, could you find where is this laptop for me ? I have only his IP address.

To resolve this, you start to follow the IP address by looking in the arp and mac-address table of your switchs, routers and firewall. I have finished this boring job by using the following open source tool:
http://netdbtracking.sourceforge.net/

Developpers have alreay preconfigured a VM:
http://sourceforge.net/projects/netdbtracking/files/vmware/

After 30 minutes of the VM installation and some hours (depending of the size of your network) of configuration to enter your different equipment, you can provide a webtools reachable from everybody to track an IP.

You will find below some examples of host configuration.

• HP Procurve (Layer 3)

hostname,devtype=procurvehpv2, arp

• HP Procurve (Layer 2):

On this example, I skipped uplinks interfaces (45 and 47). I have also limited to 2 mac address by interface.
hostname,devtype=procurvehpv2,skip_port=45,skip_port=47,use_trunks,max_macs=2

Not able to execute 'copy running-config startup-config' command

Today, I have encountered the following problem:

MY-SWITCH#copy running-config startup-config
startup-config file open failed (Device or resource busy)

In a first step, I was thinking that the nvram: was corrupted because I was not able to see files in the nvram (dir nvram:). In fact, we were 2 users connected on the switch.


MY-SWITCH#show users
    Line       User       Host(s)              Idle       Location
*  1 vty 0     admin      idle                 00:00:00 10.10.10.10 => My session
   2 vty 1     admin      idle                 00:07:09 10.10.20.10

 Also, I have just ejected my colleague with the following command:

MY-SWITCH#clear line 2

After that, I was able to backup my configuration.

MAC Flapping detection

By default, the command mac address-table notification mac-move is not configured on a 4k5. This command permits to detect a MAC flapping with a log message (see below generated logs):

#mac address-table notification mac-move

Jul  9 08:12:26.707: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.111: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16
Jul  9 08:12:28.499: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/16 to port Gi2/18
Jul  9 08:12:28.519: %C4K_EBM-4-HOSTFLAPPING: Host A4:CA:DB:48:05:B0 in vlan 50 is moving from port Gi2/18 to port Gi2/16

If this command is not configured you will certainly detect the MAC flapping with a high CPU (if it's monitored!). When you detect a CPU peak, it's not trivial to detect the root cause. To determine whether it's a MAC flapping you can use the following command

C4510#show platform health

                                     %CPU   %CPU    RunTimeMax   Priority  Average %CPU  Total

                                     Target    Actual  Target Actual    Fg   Bg 5Sec Min Hour  CPU

RkiosObflMan                     0.50   0.00      4      0  100  500    0   0    0  51:24

GalChassisVp-review           3.00   0.11     10     40  100  500    0   0    0  1260:27

S2w-JobEventSchedule      10.00   0.90     10      8  100  500    1   1    1  15025:10

...

K5L3Unicast Adj Chan         2.00   0.00     15      1  100  500    0   0    0  12:14

K5L3Unicast Adj Tabl         2.00  11.07     15     11  100  500    6   7    5  55618:52

K5L3AdjStatsMan Revi        2.00   0.15     10     11  100  500    0   0    0  3972:07

...

K5 L2 Unicast Addres          2.00   0.00     20     10  100  500    0   0    0  0:18

K5 L2 Multicast Addr           2.00   0.00     20      0  100  500    0   0    0  0:08

K5 L2 Hardware Addre       2.00  15.06     20     14  100  500   11  12    7  88117:09

As seen above, 2 variables are abnormally high:

• K5L3Unicast Adj Tabl: due to the ARP table refresh. a new MAC address is permanently associated to an IP address.
• K5 L2 Hardware Addre : the relation MAC/physical interface is also permanently refreshed.

To be sure, enter the command mac address-table notification mac-move and check the logs messages.

Archive configuration on a Cisco Switch

In a previously post I have written a script (python) to automatically backup cisco config.
There is another method to backup this configuration. Used the archive command. By this way, it's possible to backup the configuration on a remote FTP server. Below, you will find an example:


ip ftp username user1
ip ftp password password1
!
archive
 path ftp://10.10.10.10/folder/My-switch.cfg
 write-memory
 time-period 1440

The write memory command trigger an automatic backup on the ftp server.
1440 means one backup generate every day.

If you make a mistake and you decide to come back on an old version, it's possible to restore the configuration. The better way is  using this command:


configure replace path ftp://10.10.10.10/folder/My-switch.cfg--9-09-00-23-0

To see the state of the archive you can use the 'show archive' command:


SWITCH#show archive
The maximum archive configurations allowed is 14.
The next archive file will be named ftp://10.10.10.10/folder/My-switch.cfg-%3Ctimestamp%3E-2
 Archive #  Name
   1        ftp://10.10.10.10/folder/My-switch.cfgFeb--9-09-00-23-0
   2        ftp:// 10.10.10.10/folder/My-switch.cfgFeb--9-09-00-37-1 <- Most Recent
   3
   4