Monday, February 15, 2016

DHCP Leases, Determine what device is eating them up

Last Friday afternoon and again this morning I ran into an issue where all available DHCP leases for an entire scope were being used up by 'Bad Address'.  Turns out the device was also presenting an invalid MAC of:  a1020a, then a1020b, a1020c, etc, etc.

First I ping the first IP listed in DHCP to see if it's on the network.. and it was. Then I ssh'd into the core switch, the one performing Layer 3 functions.

sh ip arp

Resulted in a long list of recently resolved IP's, one of which was that first Bad Address. And it's giving me a valid MAC this time!


3750x>sh mac address-table address 0800.0f80.0b9d
          Mac Address Table
-------------------------------------------

 Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0800.0f80.0b9d    DYNAMIC     Gi1/1/4
Total Mac Addresses for this criterion: 1
3750x>sh int gi1/1/4
GigabitEthernet1/1/4 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 44d3.ca02.6834 (bia 44d3.ca02.6834)
  Description: Pole trendnet 10.2.1.35
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseSX SFP
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:06, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 159
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 182000 bits/sec, 156 packets/sec
  5 minute output rate 3720000 bits/sec, 382 packets/sec
     1373047180 packets input, 419190513395 bytes, 0 no buffer
     Received 64188296 broadcasts (55696255 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 55696255 multicast, 0 pause input
     0 input packets with dribble condition detected
     1971726846 packets output, 1221206759800 bytes, 0 underruns
 --More--

 WOOT! Since I set meaningful descriptions on my switch ports I know where to go next.. The Pole switch.

SSH into 10.2.1.35

switch# sh mac-address-table address 08:00:0f:80:0b:9d

 Vlan    Mac Address         Type     Ports
----    -----------         ----     -----
1       08:00:0f:80:0b:9d   Learnt   Gi0/18

 Total Mac Addresses displayed: 1

 switch#

Boom! Port 18.  I hit the switches Web gui and find out the port is actually hot, and is running at 100mb. 



Disable the port then translate the MAC address at http://www.macvendorlookup.com/


Now I play the waiting game.. hopefully a user will report that their phone is not working.
Posted by at
Labels: ,

1 comment:

  1. Samy MassoudFebruary 17, 2016 at 6:40 AM

    Thanks for great info,
    also you can use this site to translate mac address as well

    https://macvendors.co/

    ReplyDelete

Subscribe to: Post Comments (Atom)