Locating a Host Port by IP Address
By stretch | Monday, April 19, 2010 at 8:05 a.m. UTC
Early in my career I learned a troubleshooting approach to save me quite a bit of potentially painful cable tracing. When you need to locate the physical switch port to which a workstation or other end device is attached, one way is to physically trace and/or tone out the cable path. A much more convenient approach, if the machine has functional connectivity, is to query the ARP and MAC tables of various infrastructure devices to find its switch port.
To locate a host port by its IP address, start with a traceroute from some point inside the network, perhaps at your local workstation or a core router:
R1# traceroute 192.168.42.138 Type escape sequence to abort. Tracing the route to 192.168.42.138 1 10.0.13.3 0 msec 0 msec 4 msec 2 10.0.39.9 0 msec 4 msec 0 msec 3 192.168.42.138 0 msec 4 msec 0 msec
This tells us that the host's default router is reachable at 10.0.39.9, so we telnet or SSH to that address and perform an ARP table lookup for the host's IP address.
R1# telnet 10.0.39.9 Trying 10.0.39.9 ... Open User Access Verification Username: admin Password: S1# show ip arp 192.168.42.138 Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.42.138 13 0014.6a7c.c2b8 ARPA Vlan42
This tells us the host's MAC address. To resolve this layer two address to a layer one "address" (i.e. port number), we need to query the MAC table:
S1# show mac address-table address 0014.6a7c.c2b8 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 42 0014.6a7c.c2b8 DYNAMIC Fa0/13
Now we know that the host is reachable via interface FastEthernet0/13. However, this may not necessarily be a direct connection. The configuration of this interface indicates that this port connects to another switch:
S1# show running-config interface f0/13 Building configuration... Current configuration : 120 bytes ! interface FastEthernet0/13 description Trunk to S2 switchport trunk encapsulation dot1q switchport mode trunk end
The neighboring switch's management address is advertised via CDP:
S1# show cdp neighbors f0/13 detail ------------------------- Device ID: S2 Entry address(es): IP address: 10.0.99.10 Platform: Cisco WS-C3550-24, Capabilities: Switch IGMP Interface: FastEthernet0/13, Port ID (outgoing port): FastEthernet0/13 Holdtime : 148 sec Version : Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 01-May-08 16:14 by antonino advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000000F345F1680FF0000 VTP Management Domain: 'NULL' Native VLAN: 1 Duplex: full Management address(es): IP address: 10.0.99.10
Next, we telnet to the neighboring switch's IP address and repeat our MAC table lookup:
S1# telnet 10.0.99.10 Trying 10.0.99.10 ... Open User Access Verification Username: admin Password: S2# show mac address-table address 0014.6a7c.c2b8 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 42 0014.6a7c.c2b8 DYNAMIC Fa0/6 Total Mac Addresses for this criterion: 1
We can see that FastEthernet0/6 is an access port, which means it is most likely our host port:
S2# show running-config interface f0/6 Building configuration... Current configuration : 84 bytes ! interface FastEthernet0/6 switchport access vlan 42 switchport mode access end
Many enterprise network management systems include tools to help automate this process, but it's handy to remember in a pinch.
Posted in Tips and Tricks
Comments
April 19, 2010 at 8:20 a.m. UTC
If you have Catalyst 4500 switches, you can also use
Switch# traceroute mac ? H.H.H 48-bit hardware address of source interface Interface on which this source mac exists ip Specify ip addresses
This might also work on 6500s and I think I saw this command on 3750s.
April 19, 2010 at 9:26 a.m. UTC
very basic but very handy ! nice one stretch.
April 19, 2010 at 9:40 a.m. UTC
I do this weekly, it's definitely a must-know procedure for engineers.
April 19, 2010 at 9:56 a.m. UTC
Also u can do a L2 Traceroute :) CDP has to be enabled for that
April 19, 2010 at 11:11 a.m. UTC
Definitely a must-know procedure, but I'm a firm believer in not escalating privelege unless you have to. One of my pet hates is using 'show run' or 'show run interface' as a crutch. :)
Alternatives to consider:
Router> show interface FastEthernet0/6 status Router> show interface FastEthernet0/6 switchport
April 19, 2010 at 12:02 p.m. UTC
This is one of those things you just learn as you go but it's nice to see it "formalised" for those learning the ropes.
However when you have to do this 10 times a day, every day when you look after thousands of switches over hundreds of remote sites and have constant "PC not on network" tickets to deal with you end up skimming this process down to the bare bones.
Go to site's core switch then: sh mac- | inc wxyz
Where wxyz is the last 4 digits of the MAC - saves us time and thousands of keystrokes a week!
April 19, 2010 at 1:31 p.m. UTC
Nice trick!!
April 19, 2010 at 2:02 p.m. UTC
Yep...handy dandy trick! I've done it a couple times already this morning.
April 19, 2010 at 4:20 p.m. UTC
A problem with this approach I've recently run into is using firewalls as routers. In my environment, we use Checkpoints as the default gateways for many subnets - so to get the MAC address is a little more of a PITA - to have to shell or gui into the firewall and look at the arp table - but the concept is the same.
As far as using ICMP to verify connectivity - again, the firewalls cause some concern to the server admins - who can't ping their gateway, because it might not respond, even though it's connected. In this case, an obvious answer exists to verify connectivity - although it had to be pointed out to me. If you ping the gateway, and it doesn't answer, how can you tell it's connected? Look @ the arp cache, arp -a. If you see the IP and a MAC, odds are you're good. :)
Second the nod towards using the shortened show mac: show mac mac-add | i ABCD (abcd = last part of mac)
Another shortcut: show mac mac-add | i X/Y (x/y is the interface you're looking for - you can see what mac is assigned to it)
Love your site Stretch - you're a great help! :)
April 20, 2010 at 6:13 a.m. UTC
I had a coworker give me a cheat sheet of this process when my boss needed me to ID the switch ports in use by various "mystery" firewalls deployed by other departments. It's so much fun to just have a list of MAC addresses glommed from the DHCP server and search the entire enterprise MAC tables to find the devices.
12 hours or so, altogether...
April 20, 2010 at 12:34 p.m. UTC
I also used the same technique but with this I would like to add one more thing i.e. show mac-address dynamic vlan
regards Shivlu Jain
April 20, 2010 at 5:15 p.m. UTC
traceroute mac saved me a lot of trouble shooting when i was in Iraq. Great explanation of this process!
April 20, 2010 at 5:26 p.m. UTC
the "show ip arp 192.168.42.138" didn't work for me
but I do have DHCP snooping enabled so I can find it that way
April 21, 2010 at 9:16 p.m. UTC
Nice post. Switch Port Mapper which is part of Solarwinds Engineer Edition does this job quite fast and efficiently as well.
April 22, 2010 at 12:40 a.m. UTC
I wrote a perl script that would dump the MAC tables from all our switches and the ARP tables from all our routers into a web database. You could then query the web page for any IP address and get the switch and port.
Even added a MAC address vendor decode to help ID the device.
April 22, 2010 at 7:40 p.m. UTC
I use switchmap quite a bit for this. Much faster than jumping through devices... http://sourceforge.net/projects/switchmap/
October 2, 2013 at 5:14 p.m. UTC
Nice explaination
August 20, 2014 at 1:43 p.m. UTC
It is always nice to use an old school effective method of identifying a host port. The automative tools take all the fun out of it...lol I think some of us appreciate the longer processes because you learn so much more about how the entire process works. Thanks Stretch!!