What kind of tools do folks use to detect duplicate MAC addresses in a bridged LAN? I am trying to find out how long it takes to detect duplicates. I assume the methods used would be based on heuristics since in the normal case, a bridged LAN would simply see the MAC address moving.
Right. What I used to do was SNMP monitor the switch forwarding tables; the "movement" would be noticed in the MAC to port database the next time the summarization was run. I had a list of "expected" MACs per non-trunk port, and any MAC showing up where it wasn't expected in the summarization was immediately emailed to me. The database knew which port was allocated to which room, and which MAC belonged to which computer, and I had information about which computer belonged to which person, so when there was a movement reported, I would look to see whether the movement was "reasonable" (e.g., the person moved to the other jack in the same room, or moved one of the lab devices to another lab). Previously unregistered MACs or unexpected movements were questioned.
The hard part in all of this was not in developing the software or the initial databases, which merely took time and some creativity to figure out the varieties of lies different switch models were prone to: The hard part in all of this was getting the various group sub-administrators to tell me when new computers were added. Try to get them to periodically send a list of new IPs, hostnames, owners and MACs... the most basic of information for network maintenance, but even going to their boss's boss usually didn't have much effect :( I tell ya, MAC-level lock-downs on the switches were considered more than once!
Correct me if I'm wrong, but MAC-level lockdown pretty much works like an ACL, so you would have to know the MAC address of every single device in your network. And how would something like that work in a mobile environment - person with laptop moves from cafeteria to conference room to desk?
I no longer recall clearly; figures of 10 and 20 minutes are running through my mind. Most switches don't like to be SNMP polled too often, and rate-limits on SNMP are not uncommon (since SNMP often is handled by the master CPU instead of one of the ASICs or line cards.)
Nearly correct. Switches often have a mode in which they will learn and lock on to the first (or the first N) MACs after a reset; some such switches allow aging of the entries and some do not.
Probably not so well. My situation was one in which movement of most devices was uncommon; the network probe was about the only device that moved to random locations.
If up were working with wireless, then I understand that the better brands of wireless access points offer facilities for smooth hand-off of device from AP to AP, ("associate with strongest signal" is often not the best policy in mobile wireless, apparently). But that kind of facility doesn't answer your original query of locating -duplicate- MACs.