Introduction on the Key Points

Duplicate IP addresses are one of the most common yet frustrating issues network engineers face in multi-vendor environments. They cause intermittent connectivity issues, ARP flapping, MAC address instability, and even network outages if not detected early.

As a Python for Network Engineer practitioner, you can save hours of manual troubleshooting by automating ARP table scans for duplicate IPs using pyATS. Unlike manual show arp commands on each device, this approach runs a single test script across Cisco, Arista, Palo Alto, and Fortinet devices to:

• Collect ARP entries from all devices in your network
• Identify duplicate IP addresses mapped to different MAC addresses
• Provide a vendor-agnostic, structured report for immediate action

This tutorial walks you through building a fully automated duplicate IP detection tool using pyATS, making your network health checks proactive and scalable.

Topology Overview

For this lab, we’ll consider a simplified multi-vendor network:

• R1: Cisco IOS-XE router (core)
• R2: Arista switch (distribution)
• FW1: Palo Alto firewall (security segment)
• FW2: Fortinet firewall (edge)

Duplicate IPs may appear if:

• Rogue DHCP servers assign overlapping addresses
• Manual static IP configurations clash
• Virtual machines or container workloads reuse IPs across VLANs

Our automation ensures we detect these anomalies before they cause downtime.

Topology & Communications

• Protocols: ARP is a Layer 2 protocol used to resolve IP-to-MAC mappings.
• Communication: pyATS connects via SSH to each device.
• Data Gathering: show arp (Cisco, Arista) or equivalent CLI commands (Palo Alto, Fortinet) are parsed using Genie or custom parsers.
• Cross-checking: We check for multiple MACs mapped to the same IP within and across devices.

Workflow Script

from genie.testbed import load
import json
from collections import defaultdict

def collect_arp_entries(device):
    device.connect(log_stdout=False)
    output = device.parse('show arp')
    device.disconnect()
    
    arp_data = []
    for entry in output.get('interfaces', {}).values():
        for arp in entry.get('arp_table', {}).values():
            arp_data.append({
                'ip': arp.get('ip'),
                'mac': arp.get('mac'),
                'interface': arp.get('interface'),
                'device': device.name
            })
    return arp_data

def find_duplicates(arp_entries):
    ip_to_macs = defaultdict(set)
    duplicates = {}
    
    for entry in arp_entries:
        ip_to_macs[entry['ip']].add(entry['mac'])
    
    for ip, macs in ip_to_macs.items():
        if len(macs) > 1:
            duplicates[ip] = list(macs)
    return duplicates

if __name__ == "__main__":
    testbed = load('testbed.yml')
    all_entries = []
    
    for name, device in testbed.devices.items():
        print(f"Collecting ARP entries from {name}...")
        all_entries.extend(collect_arp_entries(device))
    
    duplicates = find_duplicates(all_entries)
    
    with open('duplicate_ips.json', 'w') as f:
        json.dump(duplicates, f, indent=4)
    
    if duplicates:
        print("Duplicate IPs found:")
        print(json.dumps(duplicates, indent=4))
    else:
        print("No duplicate IPs detected.")

Explanation by Line

• collect_arp_entries: Connects to each device, parses ARP entries, and extracts IP, MAC, and interface details.
• find_duplicates: Maps IP addresses to MAC addresses and flags those with more than one MAC.
• Main Execution: Iterates over all devices in the testbed, aggregates ARP data, and outputs any detected duplicates to a JSON report.
• Vendor Agnostic: With Genie parsers or custom parsers for Palo Alto and Fortinet, the same logic applies seamlessly.

testbed.yml Example

testbed:
  name: arp_duplicate_test
  devices:
    R1:
      os: iosxe
      type: router
      connections:
        cli:
          protocol: ssh
          ip: 192.168.10.1
      credentials:
        default:
          username: admin
          password: cisco123

    R2:
      os: eos
      type: switch
      connections:
        cli:
          protocol: ssh
          ip: 192.168.10.2
      credentials:
        default:
          username: admin
          password: arista123

    FW1:
      os: panos
      type: firewall
      connections:
        cli:
          protocol: ssh
          ip: 192.168.10.3
      credentials:
        default:
          username: admin
          password: palo123

    FW2:
      os: fortinet
      type: firewall
      connections:
        cli:
          protocol: ssh
          ip: 192.168.10.4
      credentials:
        default:
          username: admin
          password: forti123

Post-validation CLI Screenshots (Expected Output)

Cisco R1:

R1# show arp
Protocol  Address       Age  MAC Address     Interface
Internet  192.168.10.50   0   aabb.cc00.1111  Gi0/0
Internet  192.168.10.50   0   aabb.cc00.2222  Gi0/1

(Duplicate IP with different MACs detected)

Script Output:

{
  "192.168.10.50": [
    "aabb.cc00.1111",
    "aabb.cc00.2222"
  ]
}

FAQs

1. How does the pyATS script detect duplicate IP addresses?

The script collects ARP table entries from multiple devices and checks for IP addresses that map to more than one unique MAC address. If a single IP appears with different MACs, it’s flagged as a duplicate.

2. Can this script work across Cisco, Arista, Palo Alto, and Fortinet devices?

Yes. pyATS uses Genie parsers for Cisco and Arista, while Palo Alto and Fortinet can be supported with custom parsers or CLI commands, making the solution fully multi-vendor.

3. Will this script disrupt production traffic?

No. It only runs read-only show arp or equivalent commands via SSH, so it’s completely safe for live production environments.

4. Can it also detect duplicates for IPv6 addresses?

Yes. With slight modifications to use show ipv6 neighbors, the script can detect duplicate IPv6 addresses alongside IPv4 duplicates.

5. How scalable is this solution for large enterprise networks?

It’s highly scalable. pyATS can handle hundreds of devices in a single test run, and you can use multiprocessing or distributed execution for faster collection.

6. Can the report be automatically sent to teams or monitoring systems?

Yes. The output can be formatted as JSON, CSV, or HTML and sent via email, Slack, or integrated with NMS/monitoring dashboards for proactive alerting.

7. How frequently should we run this duplicate IP detection?

It depends on your network’s dynamics. For DHCP-heavy environments or high churn networks, you can run it every few hours; otherwise, daily or weekly scans work well.

8. Does this method detect duplicates across VLANs or VRFs?

Yes. The script collects ARP entries per interface, VLAN, or VRF. You can enhance it to group results by VLAN/VRF for better visibility of duplicates in segmented networks.

YouTube Link

Watch the Complete Python for Network Engineer: Identify duplicate IPs in ARP table across vendors using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Join Our Training

Detecting duplicate IPs manually wastes time and leaves networks vulnerable to outages. By mastering pyATS and Python automation, you can proactively prevent such issues across Cisco and multi-vendor networks.

Trainer Sagar Dhawan offers a 3-month, instructor-led program teaching Python, Ansible, APIs, and Cisco DevNet for Network Engineers. You’ll build hands-on projects like this one, boosting your automation expertise and career opportunities.

Join Our Training and transform your networking career with Python for Network Engineer skills.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088