Monitoring for use of a gateway IP?

[Robin Clayton]

On one of our switches we have a number of vlans with more than one IP address assigned.

I want to determine if anything is still using these OLD IP's as their default gateway.

Is it possible to use sFlowTrend to capture and alert if any traffic hits the DG IP?

Cheers

Rob

[Stuart Johnston]

Rob,

This is a bit tricky, given how the default gateway works. The IP of the gateway is only used to determine the MAC address to send to (the host will do an arp on the gateway IP to get the mac). After this, everything is sent to the destination IP at the gateway mac.

If sFlowTrend was able to decode the arp request, then, if the arp was sampled, it could be found. But unfortunately sFlowTrend does not decoded arps deeper than the outer addresses.

One possibility is that your switch uses a unique MAC address per IP; some do, some share the same mac across multiple vlans. If it does have a unique mac (and I think you are saying you have multiple IPs on one vlan, in which case it would have to have unique macs) then finding traffic associated with that address as the gateway would be as simple as filtering for that mac as a destination mac (eg macdest == ...).  You would need to determine the MAC address in question from the switch config. Anything sending to that address should be either using it as a gateway, or talking directly to it (eg a management station). 

Does that help?

Regards,

Stuart

--
You received this message because you are subscribed to the Google Groups "sFlowTrend" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflowtrend+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.