Src and Dst IP?

Hello everyone,

I have recently started working in a NOC role, and whenever I get an incident raised that a particular user cannot access a certain application the senior engineers ask me to obtain the source & destination IP addresses and the source MAC address.

My question is or why do they need that information? How are they able to investigate the issue knowing the above?

I know this is a very general question, any help is appreciated!

The MAC, SRC and DST IPs are fundamental to troubleshooting connectivity issues. They use these to trace the connectivity dynamically and in logs.

because they most likely want to check the port the user is connected to for issues (mac enables them to find it) and with the IPs verify the path through the network and/or firewall rules are not blocking the traffic somewhere between the source and the destination.

If you want to endear yourself to them, gather this information from the user/user’s PC before you escalate the ticket. Saves everyone time in the end.

  • Asking this question without a source and a destination address is like asking a plumber to “fix a leak in my house”. Regardless of how helpful, cooperative, or talented anyone is, they still need to know what your address is and what room of the house the leak is in.

  • Users lie. Yes, even when they don’t mean to. “I can’t access ” is a statement that’s mutated and filtered by the user’s knowledge level. There are a bunch of assumptions in that statement which can only be cut through by reducing the problem down to it’s minimum, technical truths.

you start with the source and then trace to the destination and check every ingress/egress interface for errors and also check each device in path for any abnormalities like cpu or mem spikes or bridge loops and routing loops. Then goto destination and trace back to source.

then to top it off the network engineer has to do a bug scrub on each device if no problems found at L1/L2/L3

honestly the senior engineers should be able to answer this question. if they are not willing to teach/explain the do what you have to do and move on.

google “path of the packet cisco”

Uhm how did you got role ar NOC if you are asking things like that? What do you know about how network traffic flows?

Thank you! On a cisco router/switch, what sort of troubleshooting steps can be useful once the information is obtained?

Yes, that is the plan! But I also want to be able to learn how to take the next steps once the information is obtained

Great, thanks!

When you are given a source IP, do you logon to a router and do #show arp to map the IP to the MAC? So you’ll have the port

If you can’t answer the question, don’t be an a** :slight_smile:

That’s a pretty long list of possible options which takes a considerable amount of study to understand. There are literally thousands of commands available on routers and switches. Sounds like you need to start at something like TCP/IP for dummies and work your way up from there, but at the very least of those is ping and tracert.

Essentially all of the troubleshooting steps. Without a data point to search no troubleshooting can be done .

You probably don’t have access to look at the kind of things that they will be looking at. But one thing you can do is verify that the user’s PC can ping the destination IP. You can also try to determine the port used by whatever app you’re troubleshooting. Then if it’s a TCP port you can use telnet to try to connect to the destination on that port. If you get a connection, then you can be reasonably sure that you aren’t being blocked by a firewall.

first get HW MAC from router

show ip arp | i “ip address”

then login to switch and get port info

show mac-add add | i “MAC address”

then show interface on port and see if its the host or another switch, then keep tracing

Well you can always try doing minimal research if you don’t know answer instead of going straight to reddit or other forum.

Thank you. Just a last question - if I obtain the users MAC address and do a “show mac address-table “address” and able to see the machine there (so the switch IS learning the MAC) , does that mean it could potentially be a L3 issue?

I have tried btw and I thought you can ask anything on Reddit. If you don’t know the answer or annoyed by the question then not sure why you are here commenting :slight_smile:

If you work in a NOC you should get a CCNA certification. The non-cisco fundamentals it includes are the best. This the best training+cert I ever got.

Yes it could be a L3 issue. You should also check that all the vlan present on all switches on the way to the router (gateway).

On router:

You should run “sh ip arp” and see that the IP and MAC in there.

Run “ping DSTIP source GWIP” and see if it gets a response.

You should also check that the ip, mask, gateway, dns-servers matches what you expect it to be.