Skip to main content
Splunk Lantern

Duplicate IP addresses in Cisco IOS devices

IP addresses uniquely identify each and every network device and should never be duplicated. However, networking misconfigurations and circumstances sometimes cause IP addresses to be duplicated across devices, which then leads to unpredictable system behavior. You want to use a Splunk search with your Cisco IOS device logs to detect the presence of duplicate IP addresses and emit a message when found. 

Data required 

Cisco IOS

The Cisco IOS system message logging process uses the syslog protocol to send important messages to remote logging services, such as Splunk. The required add-on expects the data stream to be assigned the syslog sourcetype by the input configuration and will rename it to cisco:ios in the transformation configuration. For details on how the transformation is implemented, see the props.conf and transforms.conf in the add-on and the Splunk documentation. For more information on syslog and Splunk, see the (SYSLOG) Syslog Data Collection section of the Splunk Validated Architectures white paper.

Procedure

  1. Configure the Cisco Networks Add-on for Splunk Enterprise (this add-on can also be used in Cloud environments.)
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=cisco:ios mnemonic="DUPADDR"
| stats count values(src_mac) AS “On MAC_ADDR” values(src_interface) AS interfaces BY host src_ip 
| rename src_ip AS Duplicat_Address

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=cisco:ios 

Search only Cisco IOS data. 

mnemonic="DUPADDR"

Filter for duplicate address error messages. 

| stats count values(src_mac) as "On MACADDR" values(src_interface) as interfaces by host src_ip

Count the number of duplicate address error messages and show with address is the duplicate found on which MAC address.  

| rename src_ip AS Duplicate_Address

Rename the field as shown for better readability.

Next steps

The following is a sample result from the search and shows a duplicate IP address, the MAC addresses that the IP address is assigned to, and the host and interfaces involved. The host refers to the Cisco device that reported the error. 

host Duplicate_Address count On MACADDR interfaces

10.10.20.30

192.168.211.1

83

00:15:f9:87:94:1a 31:CE:67:20:96:A5

FastEthernet0/0

Finally, you might also want to look at similar searches in our article Managing Cisco IOS devices.