Hunting Unmanaged Switches

SethGardner
Conversationalist

Hunting Unmanaged Switches

What's the best way to hunt unmanaged switches OR ports with multiple mac addresses associated with them? Ideally, I don't want to click on each port to check this information manually. I'm not familiar with the APIs or where to start with them but If anyone's willing to share I'd be happy to use them especially if the solution is with APIs

6 Replies 6
CoreyDavoll1
Getting noticed

If you don't have a lot of switches to look at then you can just use the switch summary page and make sure port is checked.

 

CoreyDavoll1_0-1725904070449.png

 

rhbirkelund
Kind of a big deal
Kind of a big deal

Set BPDU Guard on the switch ports. If BPDUs are seen on the port, which usually stem from other switches, RSTP blocks the port.

That way you can make sure, no one connects any unmanaged switches to your network.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
GIdenJoe
Kind of a big deal
Kind of a big deal

Unmanaged switches usually do not send BPDU's.

GIdenJoe
Kind of a big deal
Kind of a big deal

First of all: I wish you the best of luck!

Hunting unmanaged switches is very difficult in any kind of network.  And unless you can see every outlet, cable and every cm (or inch if you're US) you always have the risk of missing one due to the fact that some devices might not be on at the moment of your hunt.

You can however start with using what you know.
Step 1: Start by using dashboard and identify each port on each switch that normally should have multiple MAC addresses on them such as connected Access Points, Firewalls, Routers, Server hosts and links to other known switches in the network.

Step 2: Use the default gateway device of each VLAN in your network and ping the broadcast address of each network.  Or if you don't have many VLAN's perhaps run an IP scanner on your network (or NMAP) to ping scan all networks so every host answers and each switch now has most MAC addresses in their table before timing them out in 5 minutes if the hosts become inactive again.

 

Step 3: go to the tools page of your Meraki switches and run the mac address table of each and copy the results to some notepad pages.

 

Step 4: from each notepad document remove all mac addresses seen on ports you identified in Step 1.

 

Step 5: check for ports that have multiple mac addresses on them and note them for further reference.

 

Once you're done you can break out your fluke, go to the switch closets note the patchpanel letters and numbers and check each link using your fluke.  Hopefully the patches are labelled correctly and you have a floorplan that has the correct patch locations on them.  If not that's an entire other work that needs to be budgetted and done.

Brash
Kind of a big deal
Kind of a big deal

This is good advice.

 

As others have said, there's a few different methods you can use to track them down.
 - BPDU Guard (if they're running STP)

 - Looking for multiple MAC addresses on a single port.

 

The latter will be the more accurate way of tracing, however you need to know your environment well enough to understand in what scenario's you might be seeing that behavior. You might see this from certain laptop docks performing MAC address passthrough, servers running virtualization, switchports connecting to AP's etc.

 

If you have a lot of switches in your network, you might consider using the API to do the data gathering. You can output to CSV files and then do a lot of filtering in Excel.

PhilipDAth
Kind of a big deal
Kind of a big deal

I wrote a script for a client that uses this as part of their network validation.  I can't post the whole script, but this is an important snippit:

 

import collections
...
	# Find ports with multiple devices
	portList=[]
	for client in dashboard.networks.getNetworkClients(net['id'],total_pages='all',timespan=15*60):
		# Skip clients with no physical port
		if(client['switchport'] is None):
				continue
		# Skip virtual machines
		if(client['manufacturer'] =='VMware'):
			continue

		portList.append(f"{client['recentDeviceName']}/{client['switchport']}")
	portFrequency=collections.Counter(portList)
	for port in portFrequency:
		if(portFrequency[port]>1):
			print(f"{port} has {portFrequency[port]} devices - there might be an unmanaged switch")
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels