Re: Network "Change Management"

Zow Terry Brugger wrote:

> Dave,
>
>  
>
> > Does anyone know of a Linux utility that can watch the MAC address
> > tables in Cisco switches and alert admins as to when a new device has
> > been plugged in?
> >    
>
> I don't work with Cisco switches too much, however you may be able to 
> configure it to send an snmp alert to your Linux box when a new device is 
> plugged in. You'd then use snmp-util (or whatever it's called these days) to 
> handle the message on the Linux side.
>
>  
I don't think this is possible.

> Alternatively you can set up arpwatch on your Linux box and periodically ping 
> your whole range of IPs. Arpwatch will alert you when it sees new or changed 
> MAC addresses for those IPs.
>
>  
Well, this would only work for IP addresses that are within your subnet,
otherwise you'll only get the MAC address of your gateway back.

The easiest thing to do is to poll your router with SNMP, I believe
current arpwatch distributions can do that too, so you would have
both at once.

It all depends on why you want to do this Dave. Since you're mailing to a
security mailing list, I will assume you would like to keep track of what's
going on on your network. Are you familiar with 802.1x layer 2 
authentication?

This can be set up so users will actually have to log in for layer 2 access,
and when they're authenticated, you could for example get a RADIUS
accounting message that will give you, among other things, the user's
MAC address and his login name.

Regards,
Fred Leeflang