Hour 136: ARP Tables and TCL Scripts Part 2

In my last post I shared a technique in which you refresh your switches ARP tables and then keep the ip-mac-port mapping in a database for future reference. I would first like to say that there are some 3rd party monitoring software tools that can do the same job for you as a TCL script but sometimes, due to licensing or security reasons you won’t be able to add SNMP read/write access to some devices. Also, sometimes you will have a network that is not routed to your monitoring servers. For these reasons, it’s important to be able to know a little bit of scripting to automate the data aggregation process.

I did not find any script that worked with 6500’s on the internet so I created my own for you guys to use if needed. It will display the IP address – Mac Address – Physical Interface – Logical Interface – Description on the port. Here it is:

proc arpThistable {} {
set ARP [split [exec “show ip arp | e Protocol| -“] “\n”]
foreach line $ARP {
set IP [lindex $line 1]
set MAC [lindex $line 3]
set LOG [lindex $line 5]
set INT [exec “show mac address-table address $MAC | i Gi|Te”]
set PHY [lindex $INT 6]
set DESC [exec “show run interface $PHY | i description”]
puts “$IP $MAC $PHY $LOG $DESC”

Hope this was useful.


Hour 133: Arp Tables and more TCL Scripts

In a large environment, tracking down hosts and servers can be quite a challenge depending on the situation. If the host/server is reachable through ICMP, the task is fairly easy as you can resolve a port/MAC relationship with the last hop device ARP table. What if the server/host has a port configuration issue or physical cabling issue and the arp-cache of its connected device has timed-out?

This is a problem that you can encounter and unfortunately there is not a lot you can do in this situation other than physically trace the cable from the server/host to the device it’s connecting to. This isn’t feasible in most large environments because the process of tracking a cable in a data-center can be strenuous and time consuming. The best solution to prevent this would be to run scheduled back-ups of the arp tables and MAC address tables every day and consolidate them. This way you will have a MAC to ip to port relationship database and history for future reference. Next time a sysadmin gives you the MAC address or ip of a server that you cannot reach, you can find its last known location through your database.

Before you start running backups of the arp-tables, you need to make sure that all the clients/servers MAC’s are actually cached in the switches you are polling backups from. To do this, simply run a TCL ping sweep script from the switch to wake the un-cached ports. Here’s a TCL ping sweep script that I use:

for {set i 1} {$i <= 254} {incr i} {
set var 10.1.1.
append var $i
ping $var rep 2 time 1}

This script sends 2 ICMP echo requests and if there is no entry in the ARP table, the echo request is unconditionally dropped and an ARP request is sent instead. After that, you can run another custom script to get the IP/MAC/Physical interface information or just run the show ip arp and show mac-address-table commands and store the output with a date and time for future use.