This question probably involves both some networking theory and some practical details. It's been a while since I've studied layer 2 stuff so perhaps I just need a refresher.

Say you have a list of the MAC addresses of all the NICs that are connected to the same switch, but no layer 3 information for those interfaces. How can you discover whether that MAC is within your broadcast domain if you are on another host also connected to that switch? You can't do a RARP discovery based on it's MAC address and have it return whether it discovered that MAC in your broadcast domain can you? Does RARP even work to lookup layer 3 addresses for remote hosts given a MAC address, or only to resolve your local interface's layer 3 info (I've read conflicting answers on that)?

Now, if you have a switch you can list its mac address table and it will tell you the ethernet layer MAC address of all hosts connected to it on each port, whether they have a layer 3 protocol/address assigned or not (correct?). How does a switch do this without ARP/RARP which involves layer 3 at some point?

In my scenario where I have the MAC but not an IP (if that's even the protocol we are using) I would ideally want to use something akin to RARP and have it ask "who has mac address [X]?" or even "is there a layer 2 interface with mac address [X] in my broadcast domain?".

Even if your hosts that are hooked up to the same switch are on different IP subnets (say 10.0.X.X and 10.10.X.X with a 255.255.0.0 mask) can you not still query whether a MAC address is present on the physical network in a layer 2 broadcast domain regardless of layer 3 assignments? I haven't seen a way to do this, and I'm not sure if switches are an exception, but I think I could benefit from knowing the reasons behind a 'yes', 'no', or 'other' answer.

This may be elementary networking, but like I said I need a refresher. Thoughts?

Also of interest to me are the questions presented at these two links:

http://unix.stackexchange.com/questi...-no-ip-address (Title: "Remotely access Linux box with no IP address")

My interest is similar but not identical to the question asked there. I wouldn't expect to actually access something that doesn't have a layer 3 address, but it would be interesting if you could still do a remote "Are you even out there mac address 00:14:22:01:23:45?" with a response "Yes, I'm here..." for something that has no IP assigned. This I think would help to discover if a host is in your broadcast domain or in a different one.

http://forums.anandtech.com/showthread.php?t=1280462 (Title: "how can I use rarp to resolve an ip from a mac address?")

I can't seem to actually find a rarp command/binary like mentioned in that thread for Linux, and what google turns up for "rarp" commands seems to be for UNIX only. Obviously the protocol is usable on Linux but I'm not sure how to execute a RARP lookup with MAC address only given tools available in Linux (I use RHEL).

So it looks like there are a few considerations here. The first limitation it appears is that switches only implement passive MAC learning (according to IEEE Standard 802.1D), and by that I mean that unless the host establishes a link and sends an ethernet frame to the switch in order to communicate with it (normally in the course of trying to contact another host) the switch will not learn the Media Access Control (MAC) address of that host's NIC. Switches do not appear to have any reason to actively poll hosts connected to it in order to just populate and keep its MAC table up-to-date.

The primary reasons for that are probably the obvious ones: A) that it would generate unnecessary traffic and B) that in situations where a very large quantity of devices are connected it would "unnecessarily" bloat the switch's MAC table and consume more memory. So it is a resource consideration. But what if resource considerations could be mitigated in certain situations or simply by the advance in technology, speeds, memory capacity, etc.?

Now, that is well suited for the majority case of LAN/WAN usage these days, and is implemented for some very wise reasons from specifications from the IEEE, but what if you had a specialized use case in which you wanted the ability to poll all attached NICs to discover their MAC addresses? This might actually require an extension or modification of the Ethernet protocol. In fact it looks like this has been proposed before for various reasons, and in one case has been suggested for adding a load-balancing capability at Layer 2 in switches for use in metropolitan area networks (MANs) as mentioned in a paper published in the Journal of Lightwave Technology (http://www.tel.uva.es/personales/ign...ta_JLT04.pdf):

This proposes "explicit teaching" (advertising) of MAC information and its abstract even mentions a "proposed extension of the MAC protocol".

Currently the IEEE Standard 802.1D specifies this about MAC learning:

And the entirety of the section of the spec which defines the MAC learning process (7.8) reads:

The practical implementation of the "Filtering Database" in a bridge or switch would either equate to or, at minimum, include the MAC table. So obviously if one wanted to change the standard they could potentially change a switch's behavior to comprehensively poll for MAC addresses of attached devices/hosts, which may in turn require an extension of the ethernet protocol (or creation of a new potocol, say, the MAC Advertisement Protocol a.k.a MAP [hey! sounds like an idea!]) to allow such active discovery or advertisement.

So what does this mean for the humble every day user or Systems Administrator?

Basically, it would seem, all you can do is utilize the switch's MAC table if you don't know any layer 3 information for the device. Can this information be obtained from a host attached to a switch without connecting in a shell or terminal (ssh, telnet, serial port, etc.) to the switch? Yes, but the answer is not terribly convenient since it involves the Application Layer 7 and requires an SNMP service to be running on the switch. I realized that is possible to obtain a switch's MAC and ARP tables from a switch via SNMP and some of Cisco's Catalyst switches also provide the ability to return to you the port associated with a MAC address you provide it: Using SNMP to Find a Port Number from a MAC Address on a Catalyst Switch. There apparently is some way to do this with virtual switches in VMWare as well discussed here and here.

One could conceivably write a script to query via SNMP for the MAC table then parse the entries for the MAC addresses and then feed that in to the SNMP port number service provided (at least for Cisco switches), and then you could derive information from there. It wouldn't necessarily tell you anything about broadcast domain boundaries (the concern in the opening post) however. That's the best thing that I can think of though, to locate other hosts attached to the same switch by MAC address.

Have I left off any relevant considerations in this topic?

Of course, I know there are security considerations in all this as well. A MAC advertising protocol might be problematic for security...

Most operating systems generate chatter of some description. Switches tend to generate STP and SNMP traps, routers often chuch out CDP/LLDP frames, Desktop OS's spontaneously generate all manner of junk.

More often than not of you are waiting for MAC tables to update you don't tend to wait too long.

Some devices are genuinely passive though and will only speak when spoken to. If you have lost the IP address and passwords etc, as happens far too often, your best bet is a port scanner.

nmap will find most things for you. Unless, as I found recently, the system they'd "forgotten" the address for could only be accessed from a specific host and they'd forgotten which one!