Educause Security Discussion mailing list archives

Re: IP address conflicts / locating

From: Jason Richardson <A00JER2 () WPO CSO NIU EDU>
Date: Sun, 18 Dec 2005 08:55:19 -0600

We currently use Lucent QIP to manage our IP address space and DNS name
assignments.  We're DHCP with reserved IP addresses for those machines
that need them.  This is our second go around with QIP which we used a
few years ago, and liked well enough, but could not afford anymore
because of their pricing model (charging per IP address including
private IPs).  After trying out an appliance solution that ended up
being a disaster, we went back to QIP when Lucent finally got the
picture and made the software affordable enough for a public edu.  We
finally finished migrating everything over to QIP last month and
everyone seems happy enough.  We also have a home grown tool like the
one that Chris describes below.  Our network is mostly Cisco L3, but not
close to all, so writing a tool that could talk to several different
platforms has been difficult, but we've got some pretty good system
programmers on our staff who were able to get it done.  Our security
staff literally uses it every day, often several times/day.  My advice
would be to look at something like QIP, or Netreg, and to go to DHCP
ASAP.

Jason

---
Jason Richardson
Senior IT Security Analyst
Enterprise Systems Support
Northern Illinois University

cmisra () NIC UMASS EDU 12/16/05 10:27 AM >>>

I've asked if we can get a tool which will take as input the IP
address, and give the switch port where this IP is active, identify
where this switch is, and further identify to which building and

room

that port connects.  Do other schools have this ability, or am I
asking for too much?


We've had this capability in our toolset for quite a number of years.
It runs under the hood of most of our incident identification,
notification, and remediation toolsets. It is based on SNMP calls
through a perl script and very site localized, but the logic is
transportable.

A few things that make it easier for us is homogeneity of edge
switches,
 network registration (netreg), and a robust database that maps
switchport to building, room, jack.

The rough process is to query an arp database for MAC-IP mappings
dumped
periodically from the router. The logic is to start at the router,
query
the 802.1d bridging MIB for the forwarding interface, query the
forwarding interface for the next downstream switching device, and
iterate until the end of the chain. In our case, since we have a
consistent switch vendor, we are able to use vendor-specific protocol
to
identify the next downstream switching device, however this could
probably be abstracted away.

Using this, we are able to pass in an IP address and return switch,
port, user, building, room, jack #, etc, in near realm time. I takes
on
order 5-10 seconds to run but is very accurate.

                                -chris

Current thread:

IP address conflicts / locating Kevin Shalla (Dec 15)
- <Possible follow-ups>
- Re: IP address conflicts / locating Brian K. Doré (Dec 15)
- Re: IP address conflicts / locating David Gillett (Dec 15)
- Re: IP address conflicts / locating Al Sparks (Dec 15)
- Re: IP address conflicts / locating Flagg, Martin D. (Dec 16)
- Re: IP address conflicts / locating Randy Grimshaw (Dec 16)
- Re: IP address conflicts / locating Michael Grinnell (Dec 16)
- Re: IP address conflicts / locating Christopher Misra (Dec 16)
- Re: IP address conflicts / locating William G. Thompson, Jr. (Dec 16)
- Re: IP address conflicts / locating Jason Richardson (Dec 18)
- Re: IP address conflicts / locating Graham Toal (Dec 19)
- Re: IP address conflicts / locating Donald J Westlight (Dec 19)
- Re: IP address conflicts / locating Tristan RHODES (Dec 28)
- Re: IP address conflicts / locating David LaPorte (Dec 28)