Nmap results

[smb]

I was scanning a net at work and see a ton of IPs come up. the first 5 or so are the server and what not. got that. however the next 30 or so, all have the same MAC address. different IPs. the way the nets wired. is it goes through 26 port switches 2 per floor total off.... 7 switches (catalysis 2950's) any idea whats going on here? the switches feed all the rooms on each floor. Not sure if I'm seeing the different computers connected to the switch's or what?

[Defience]

Try using Zenmap which is Nmap in a GUI. Here's an image of how it maps out routes:
http://nukeit.org/wp-content/uploads/2008/08/zenmap02.png

[thetan]

It's important to remember that switches route packet data typically at Layer 2 of the OSI model commonly referred to as the Data Link Layer. This layer comes before and thus encapsulates the Network Layer (Layer 3, the IP layer). Meaning that switches could really care less about any given IP address coming in or going out from any given port as their focus is on the MAC address (also known as Ethernet address or hardware address). Switches typically learn what hardware device is connected to what port just by monitoring the flow of data and mapping MAC addresses to specific ports, kind of like an ARP table but with physical ports instead of IP's.

Now knowing that switches learn and build these MAC address tables to route data efficiently, think about what would happen to those MAC tables if switches didn't blast their MAC address over everything they push out?

Here's a real world example. At my work we have 5 48 port gigabit switches (almost every port is used too) which total out to over 240 Mac addresses (switches have MAC addresses too) meaning that for every packet sent through every port that switch would have to search (typically a binary search, meaning it's a worse case O(log n) operation, which isn't bad ... yet) for that MAC address to find out what port to send it in. Now 240 doesn't sound like a big number but remember it's a gigabit switch meaning it has to search that MAC table thousands of times per port (assuming every host is always sending data) for 48 ports.

However, it's worth noting that you can have virtual interfaces to physical NIC's which is another case where you can have matching MACs to seperate IP's. However, in this case 30 virtual interfaces may be a bit extreme (unless you're running a VPS service or something)

So yeah, best bet says it's the switches MAC address written over to minimize MAC tables. Port scan for port 21 being open on all of those with the matching MAC and try to telnet into any one you find, i bet one will be a switch.

Or if you connect a terminal (usually via 9 pin serial port) or a computer with a terminal emulator to the switch and reboot it, it will usually print the MAC address during the boot process.