If you have a big network with multiple Access Switches connecting to the core switches or routers then tracing a device like a PC or a laptop for troubleshooting or security purposes is one of those tasks that you often end up doing. This is not a difficult task but can certainly be time consuming.
Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp
Core1# sh ip arp 192.168.1.15
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.15 22 0000.1111.1111 ARPA Vlan1
From the above you know the MAC Address of for the device:
IP Address : 192.168.1.15
MAC Address : 0000.1111.1111
Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.
Core1# sh mac-address-table address 0000.1111.1111
Legend: * – primary entry
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Te1/1
This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.
Sometimes, the output might show as follows [note the Po1]
Legend: * – primary entry
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Po1
This indicates that there is a etherchannelis being setup. So do a "show etherchannel" command to find the phsycial ports that are paired.
Core1# show etherchannel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
M – not in use, minimum links not met
u – unsuitable for bundling
w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators: 6
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) – Te1/1(P) Te2/1(P)
This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.
Now, do a "show cdp neighbors" to show the directly connected devices.
Core1# sh cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Access1 Ten 1/1 129 R S I WS-C6509 Ten 1/1
That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.
Now, log onto the Access switch and do a "show mac-adddress-table" command for the MAC address and that should show the interface to which it is connected
[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]
Access1# show mac-address-table 0000.1111.1111
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Gi1/24
As you can see which port the device is connected and on which switch.
Now do a "show interface" command to show the port details.
Access1>sh int gigabitEthernet 1/24
GigabitEthernet1/24 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
…..
…
..
.
There you go you found the device switchport that you tried to trace!!!
Have you tried ZipTie? It’s an open source network management program that does this kind of stuff for breakfast! 🙂 Seriously, like right-click on a switch and run the Switchport/MAC mapping tool, view the results. Then even type in an IP address and it will tell you which MAC it is and which switchport it is connected to. Talk about handy for finding which port a desktop machine is connected to!
I noticed you also had a blog about how to show chassis serial number and part numbers. ZipTie captures all that too along with backing up your device configurations. And it supports not just IOS, but Juniper, Nortel, Radware, Force10, and a bunch of equipment providers.
I know all this because I work on the ZipTie project! 🙂
Seriously, we’re awesome. No network engineer should be without us.
Hi,
Thanks for the input. I’ve been watching and evaluating Ziptie for quite sometime…Was just going to do a write up on ziptie and other similar tools (all opensource). You just got here early 😉
Ziptie is a great product, great framework!!!!
Kumaran
Cool! step. Thnks from Thai-Network Admin.
how to bind an public Ip with the MAC address in either Cisco switch 2960 or Cisco Router 1842 series
I’ve read many of these articles explaining this process but where I always have trouble is obtaining the correct MAC address. From the core switch, when I perform a sh ip arp 10.x.x.x I get a blank response. When I try this from a distribution switch, I get a MAC address in return, but not the MAC of the actual system I’m trying to locate. I believe it’s the MAC address of the etherchannel Po1 that’s being returned. I verified this by RDP’ing to the actual system and verifying it’s MAC address, but many times, this is not possible. Argghhh, might have to look into this ziptie thing. 🙂
thanks
amit yadav
on your core router holding all your gateways try
sh ip arp xxxx.xxxx.xxxx
you should get the
protocol ip_Address Age Hardware Addr(MAC) Type Interface
eg.
Internet 192.x.x.x 80 xxxx.xxxx.xxxx ARPA VlanXX
really helpful,thank u very much,,
I have server with four NIC Card all are connected to One Core Switch 6500, some are configure as virtual ip address those are phyiscal connected also, and giving same Mac Address, i want to know connect port of each interface on switch. please send the command to find out
which port ip address are connected and port Numbers.
thanks in advance
shareef
sh ip dhcp snooping binding int f0/22
#sh ip dhcp snooping binding int f0/22
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1A:A0:91:xx:xx 10.15.26.168 85502 dhcp-snooping 626 FastEthernet0/22
Total number of bindings: 1
Hi,
I’m try to locate where the MAC address connected to but it not showing on the interfaces. Below is how I figure. Can you please help / explain to me?
core>sh ip arp f6d0.9822.bb06
Protocol Address Age (min) Hardware Addr Type Interface
Internet 148.171.207.78 2 f6d0.9822.bb06 ARPA Vlan142
core>sh mac-address-table address f6d0.9822.bb06
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 142 f6d0.9822.bb06 dynamic Yes 0 Po202
core>sh etherchannel summary
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
202 Po202(SU) – Gi4/33(P) Gi4/34(P)
core>sh mac-address-table interface GigabitEthernet4/33
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
No entries present.
core>sh mac-address-table interface GigabitEthernet4/34
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
No entries present.
Great Post!…………It is very helpful….Thank you very much
Hi,
I need some help,please show me a way whereby you can
trace mac address to port because somebody is sniffing
my network….