Nov 142007

If you have a big network with multiple Access Switches connecting to the core switches or routers then tracing a device like a PC or a laptop for troubleshooting or security purposes is one of those tasks that you often end up doing. This is not a difficult task but can certainly be time consuming.

Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp

Core1# sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet           22   0000.1111.1111  ARPA   Vlan1

From the above you know the MAC Address of for the device:

IP Address :
MAC Address : 0000.1111.1111

Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.

Core1# sh mac-address-table address 0000.1111.1111

Legend: * – primary entry
        age – seconds since last seen
        n/a – not available

  vlan   mac address     type    learn     age              ports
*   1  0000.1111.1111   dynamic  Yes         10   Te1/1

This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.

Sometimes, the output might show as follows [note the Po1]

Legend: * – primary entry
        age – seconds since last seen
        n/a – not available

  vlan   mac address     type    learn     age              ports
*   1  0000.1111.1111   dynamic  Yes         10   Po1

This indicates that there is a etherchannelis being setup. So do a "show etherchannel" command to find the phsycial ports that are paired.

Core1# show etherchannel summary
Flags:  D – down        P – bundled in port-channel
        I – stand-alone s – suspended
        H – Hot-standby (LACP only)
        R – Layer3      S – Layer2
        U – in use      f – failed to allocate aggregator

        M – not in use, minimum links not met
        u – unsuitable for bundling
        w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators:           6

Group  Port-channel  Protocol    Ports
1      Po1(SU)          –        Te1/1(P)   Te2/1(P)

This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.
Now, do a "show cdp neighbors" to show the directly connected devices.

Core1# sh cdp neighbors

Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
                  S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Access1          Ten 1/1            129         R S I     WS-C6509  Ten 1/1

That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.

Now, log onto the Access switch and do a "show mac-adddress-table" command for the MAC address and that should show the interface to which it is connected

[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]

Access1# show mac-address-table 0000.1111.1111

  vlan   mac address     type    learn     age              ports
*   1  0000.1111.1111   dynamic  Yes         10   Gi1/24

As you can see which port the device is connected and on which switch.

Now do a "show interface" command to show the port details.

Access1>sh int gigabitEthernet 1/24

GigabitEthernet1/24 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s
There you go you found the device switchport that you tried to trace!!!

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

 Posted by at 10:45 am  Tagged with:

  15 Responses to “HowTo: Find switchport for a MAC Address on a Cisco Catalyst Switch”

  1. […] admin added an interesting post on HowTo: Find switchport for a MAC Address on a Cisco Catalyst SwitchHere’s a small excerpt […]

  2. Have you tried ZipTie? It’s an open source network management program that does this kind of stuff for breakfast! :-) Seriously, like right-click on a switch and run the Switchport/MAC mapping tool, view the results. Then even type in an IP address and it will tell you which MAC it is and which switchport it is connected to. Talk about handy for finding which port a desktop machine is connected to!

    I noticed you also had a blog about how to show chassis serial number and part numbers. ZipTie captures all that too along with backing up your device configurations. And it supports not just IOS, but Juniper, Nortel, Radware, Force10, and a bunch of equipment providers.

    I know all this because I work on the ZipTie project! :-)

    Seriously, we’re awesome. No network engineer should be without us.

  3. Hi,

    Thanks for the input. I’ve been watching and evaluating Ziptie for quite sometime…Was just going to do a write up on ziptie and other similar tools (all opensource). You just got here early 😉

    Ziptie is a great product, great framework!!!!


  4. Cool! step. Thnks from Thai-Network Admin.

  5. how to bind an public Ip with the MAC address in either Cisco switch 2960 or Cisco Router 1842 series

  6. I’ve read many of these articles explaining this process but where I always have trouble is obtaining the correct MAC address. From the core switch, when I perform a sh ip arp 10.x.x.x I get a blank response. When I try this from a distribution switch, I get a MAC address in return, but not the MAC of the actual system I’m trying to locate. I believe it’s the MAC address of the etherchannel Po1 that’s being returned. I verified this by RDP’ing to the actual system and verifying it’s MAC address, but many times, this is not possible. Argghhh, might have to look into this ziptie thing. :)

  7. thanks

    amit yadav

  8. on your core router holding all your gateways try

    sh ip arp xxxx.xxxx.xxxx

    you should get the
    protocol ip_Address Age Hardware Addr(MAC) Type Interface
    Internet 192.x.x.x 80 xxxx.xxxx.xxxx ARPA VlanXX

  9. really helpful,thank u very much,,

  10. I have server with four NIC Card all are connected to One Core Switch 6500, some are configure as virtual ip address those are phyiscal connected also, and giving same Mac Address, i want to know connect port of each interface on switch. please send the command to find out
    which port ip address are connected and port Numbers.

    thanks in advance

  11. sh ip dhcp snooping binding int f0/22

    #sh ip dhcp snooping binding int f0/22
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    —————— ————— ———- ————- —- ——————–
    00:1A:A0:91:xx:xx 85502 dhcp-snooping 626 FastEthernet0/22
    Total number of bindings: 1

  12. Hi,
    I’m try to locate where the MAC address connected to but it not showing on the interfaces. Below is how I figure. Can you please help / explain to me?

    core>sh ip arp f6d0.9822.bb06
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 2 f6d0.9822.bb06 ARPA Vlan142

    core>sh mac-address-table address f6d0.9822.bb06

    vlan mac address type learn age ports
    * 142 f6d0.9822.bb06 dynamic Yes 0 Po202

    core>sh etherchannel summary

    Group Port-channel Protocol Ports
    202 Po202(SU) – Gi4/33(P) Gi4/34(P)

    core>sh mac-address-table interface GigabitEthernet4/33

    vlan mac address type learn age ports
    No entries present.

    core>sh mac-address-table interface GigabitEthernet4/34

    vlan mac address type learn age ports
    No entries present.

  13. Great Post!…………It is very helpful….Thank you very much

  14. Hi,
    I need some help,please show me a way whereby you can
    trace mac address to port because somebody is sniffing
    my network….

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>