Computer networks seem to grow larger every day and finding exactly where a misb

ehaving computer connects becomes more difficult.

Here is the method for quickly finding where a specific computer is connected to
a corporate network. These examples are for Cisco catalyst switches, although m
ost switches that are manageable have similar commands.
Find the MAC Address
If you have physical access to the computer, then you can determine the MAC addr
ess by using the command ipconfig /all at the command line. The MAC address is c
alled Physical Address in this command.
Without physical access to the computer, the best way to determine the MAC addre
ss is by looking at your router's ARP table. A MAC address is a unique 32-bit he
xdecimal address unique to every network interface card. It is mostly hidden by
IP addresses and DNS names, but once you have the mac address of the computer of
fending you, it is only a matter of time until you find out where it is connecte
d.
Today, we are looking for the computer at IP address 172.29.15.223. Use the show
arp command. ARP is the connection between the IP address and the physical mac
address.
Step1: Find the MAC address on the router
Router1>show arp | i 172.29.15.223
Internet 172.29.15.223 0 0011.432e.0f77 ARPA Vlan15
Next, use the show mac-address-table command on the switch to find out where the
switch thinks the computer is located.
Step 2: Track the MAC address
Router1>show mac-address-table address 0011.432e.0f77
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+-------------------------Module 1:
* 15 0011.432e.0f77 dynamic Yes 0 Te1/5
The switch output tells us that the computer is seen on port Te1/5 (Te stands fo
r TenGigabit), but we need to verify that this is not an uplink to another switc
h. Use the show cdp detail command in order to see if there is another switch. I
n this case, there is.
CDP stands for Cisco Discovery Protocol and is the way Cisco switches share conn
ection information. There is a lot of output from this command, but notice the D
evice ID and IP address lines. This shows the connecting switch's IP address and
its name.
Step 3: Find the downstream switch
Router1>show cdp nei te1/5 detail
------------------------Device ID: Switch2
Entry address(es):
IP address: 172.29.15.2
Platform: cisco WS-C4506-E, Capabilities: Switch IGMP
Interface: TenGigabitEthernet1/5, Port ID (outgoing port): TenGigabitEthernet1/1
Holdtime : 163 sec

Version :
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-LANBASEK9-M), Ver
sion 12.2(50)SG2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 16-Mar-10 05:25 by prod_rel_team
advertisement version: 2
VTP Management Domain: ''
Native VLAN: 1802
Duplex: full
Management address(es):
IP address: 172.29.15.2
Next, log into the connecting switch and use the show mac-address-able command a
gain.
ssh 172.29.15.2
Step 4: Track the MAC address again
Switch2>show mac-address-table address 0011.432e.0f77
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+-------------------15 0011.432e.0f77 dynamic ip,ipx,assigned,other GigabitEthernet2/3
This switch shows the computer connected to port GigabitEthernet2/3. Run the sho
w cdp neighbor command again. If the command does not show another switch, then
the computer should be directly connected to this port. Lastly, verify that the
computer you are looking for is the only device connected to that port. Taking t
his last step will eliminate missing another switch because cdp is misconfigured
or a small unmanaged switch like something bought at a computer store is not co
nnected. If the computer you are looking for is directly connected, then it will
be the only entry in the show mac-address-table dynamic command.
Switch2>sho mac address-table dynamic int gig2/3
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+-------------------15 0011.432e.0f77 dynamic ip,ipx,assigned,other GigabitEthernet2/3
Finally, we can disconnect the computer by turning off it's switch port by using
the shut command.
Switch2>en
password:
Switch2#conf t
Switch2#(config) int gig2/3
Switch2#(config-int)shut
Switch2#(config-int)end
Although this computer was connected to a nearby switch, the computer in questio
n could be several switch connections away. In that case, repeat steps two and t
hree. Refer to www.Cisco.com for more information.
Published by Jinx