On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers <quantumfoam@gmail.com> wrote:
I like the idea of looking at the ARP table periodically, but this presents some possible issues for us. The edge routers at our remote sites are Cisco 1841 devices, typically with either an MPLS T1 or a Public T1 (connected via an IAD owned by Centurylink; router to router, so dumb). Aside from manually logging in to those individual routers (all 140 or so of them) and checking them on a schedule, can anyone think of a good way to capture that information automatically? If I had to I could probably come up with a script to log in to them and scrape the info then process it but...eww.
quite a few people have leveraged RANCID (http://www.shrubbery.net/rancid/) for doing stuff like this. it is made to pull configs from routers on a cycle and produces text files that can be worked with. you can use the tools that are there to pull specific information, such as arp tables, and then process the resultant files with your scripting language of choice. check the mail list for examples of this kind of thing.
Another possible option (although costly) is installing a Ruckus device at each location; we have a Ruckus infrastructure at our HDQ and it works great (almost too good, it's super sensitive) at picking up rogues. A Ruckus WAP could talk to our ZoneDirector appliance and do that for us at each site, I think, but it may be difficult to justify the cost.
--JR
james