Locating a Host Port by IP Address

By stretch | Monday, April 19, 2010 at 8:05 a.m. UTC

Early in my career I learned a troubleshooting approach to save me quite a bit of potentially painful cable tracing. When you need to locate the physical switch port to which a workstation or other end device is attached, one way is to physically trace and/or tone out the cable path. A much more convenient approach, if the machine has functional connectivity, is to query the ARP and MAC tables of various infrastructure devices to find its switch port.

To locate a host port by its IP address, start with a traceroute from some point inside the network, perhaps at your local workstation or a core router:

R1# traceroute 192.168.42.138

Type escape sequence to abort.
Tracing the route to 192.168.42.138

1 10.0.13.3 0 msec 0 msec 4 msec
  2 10.0.39.9 0 msec 4 msec 0 msec
  3 192.168.42.138 0 msec 4 msec  0 msec

This tells us that the host's default router is reachable at 10.0.39.9, so we telnet or SSH to that address and perform an ARP table lookup for the host's IP address.

R1# telnet 10.0.39.9
Trying 10.0.39.9 ... Open

User Access Verification

Username: admin
Password:

S1# show ip arp 192.168.42.138
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.42.138         13   0014.6a7c.c2b8  ARPA   Vlan42

This tells us the host's MAC address. To resolve this layer two address to a layer one "address" (i.e. port number), we need to query the MAC table:

S1# show mac address-table address 0014.6a7c.c2b8
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  42    0014.6a7c.c2b8    DYNAMIC     Fa0/13

Now we know that the host is reachable via interface FastEthernet0/13. However, this may not necessarily be a direct connection. The configuration of this interface indicates that this port connects to another switch:

S1# show running-config interface f0/13
Building configuration...

Current configuration : 120 bytes
!
interface FastEthernet0/13
 description Trunk to S2
 switchport trunk encapsulation dot1q
 switchport mode trunk
end

The neighboring switch's management address is advertised via CDP:

S1# show cdp neighbors f0/13 detail
-------------------------
Device ID: S2
Entry address(es): 
  IP address: 10.0.99.10
Platform: Cisco WS-C3550-24,  Capabilities: Switch IGMP 
Interface: FastEthernet0/13,  Port ID (outgoing port): FastEthernet0/13
Holdtime : 148 sec

Version :
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 01-May-08 16:14 by antonino

advertisement version: 2
Protocol Hello:  OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000000F345F1680FF0000
VTP Management Domain: 'NULL'
Native VLAN: 1
Duplex: full
Management address(es): 
  IP address: 10.0.99.10

Next, we telnet to the neighboring switch's IP address and repeat our MAC table lookup:

S1# telnet 10.0.99.10
Trying 10.0.99.10 ... Open

User Access Verification

Username: admin
Password:

S2# show mac address-table address 0014.6a7c.c2b8
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  42    0014.6a7c.c2b8    DYNAMIC     Fa0/6
Total Mac Addresses for this criterion: 1

We can see that FastEthernet0/6 is an access port, which means it is most likely our host port:

S2# show running-config interface f0/6
Building configuration...

Current configuration : 84 bytes
!
interface FastEthernet0/6
 switchport access vlan 42
 switchport mode access
end

Many enterprise network management systems include tools to help automate this process, but it's handy to remember in a pinch.

About the Author

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

Posted in Tips and Tricks

Comments

falk commented on Monday, April 19, 2010 at 8:20 a.m. UTC

If you have Catalyst 4500 switches, you can also use 

Switch# traceroute mac ?
  H.H.H      48-bit hardware address of source
  interface  Interface on which this source mac exists
  ip         Specify ip addresses

This might also work on 6500s and I think I saw this command on 3750s.

binary-zero (guest) commented on Monday, April 19, 2010 at 9:26 a.m. UTC

very basic but very handy ! nice one stretch.

Colby commented on Monday, April 19, 2010 at 9:40 a.m. UTC

I do this weekly, it's definitely a must-know procedure for engineers.

MCL.Nicolas (guest) commented on Monday, April 19, 2010 at 9:56 a.m. UTC

Also u can do a L2 Traceroute :) CDP has to be enabled for that

Murali Suriar (guest) commented on Monday, April 19, 2010 at 11:11 a.m. UTC

Definitely a must-know procedure, but I'm a firm believer in not escalating privelege unless you have to. One of my pet hates is using 'show run' or 'show run interface' as a crutch. :)

Alternatives to consider:

Router> show interface FastEthernet0/6 status
Router> show interface FastEthernet0/6 switchport
Steve B (guest) commented on Monday, April 19, 2010 at 12:02 p.m. UTC

This is one of those things you just learn as you go but it's nice to see it "formalised" for those learning the ropes.

However when you have to do this 10 times a day, every day when you look after thousands of switches over hundreds of remote sites and have constant "PC not on network" tickets to deal with you end up skimming this process down to the bare bones.

Go to site's core switch then: sh mac- | inc wxyz

Where wxyz is the last 4 digits of the MAC - saves us time and thousands of keystrokes a week!

emilio1973 commented on Monday, April 19, 2010 at 1:31 p.m. UTC

Nice trick!!

jmbyrdwell commented on Monday, April 19, 2010 at 2:02 p.m. UTC

Yep...handy dandy trick! I've done it a couple times already this morning.

Brannen commented on Monday, April 19, 2010 at 4:20 p.m. UTC

A problem with this approach I've recently run into is using firewalls as routers. In my environment, we use Checkpoints as the default gateways for many subnets - so to get the MAC address is a little more of a PITA - to have to shell or gui into the firewall and look at the arp table - but the concept is the same.

As far as using ICMP to verify connectivity - again, the firewalls cause some concern to the server admins - who can't ping their gateway, because it might not respond, even though it's connected. In this case, an obvious answer exists to verify connectivity - although it had to be pointed out to me. If you ping the gateway, and it doesn't answer, how can you tell it's connected? Look @ the arp cache, arp -a. If you see the IP and a MAC, odds are you're good. :)

Second the nod towards using the shortened show mac: show mac mac-add | i ABCD (abcd = last part of mac)

Another shortcut: show mac mac-add | i X/Y (x/y is the interface you're looking for - you can see what mac is assigned to it)

Love your site Stretch - you're a great help! :)

sklutch (guest) commented on Tuesday, April 20, 2010 at 6:13 a.m. UTC

I had a coworker give me a cheat sheet of this process when my boss needed me to ID the switch ports in use by various "mystery" firewalls deployed by other departments. It's so much fun to just have a list of MAC addresses glommed from the DHCP server and search the entire enterprise MAC tables to find the devices.

12 hours or so, altogether...

shivlu jain (guest) commented on Tuesday, April 20, 2010 at 12:34 p.m. UTC

I also used the same technique but with this I would like to add one more thing i.e. show mac-address dynamic vlan

regards Shivlu Jain

A guest commented on Tuesday, April 20, 2010 at 5:15 p.m. UTC

traceroute mac saved me a lot of trouble shooting when i was in Iraq. Great explanation of this process!

dlots commented on Tuesday, April 20, 2010 at 5:26 p.m. UTC

the "show ip arp 192.168.42.138" didn't work for me

but I do have DHCP snooping enabled so I can find it that way

kirk (guest) commented on Wednesday, April 21, 2010 at 9:16 p.m. UTC

Nice post. Switch Port Mapper which is part of Solarwinds Engineer Edition does this job quite fast and efficiently as well.

dcjones21 commented on Thursday, April 22, 2010 at 12:40 a.m. UTC

I wrote a perl script that would dump the MAC tables from all our switches and the ARP tables from all our routers into a web database. You could then query the web page for any IP address and get the switch and port.

Even added a MAC address vendor decode to help ID the device.

A guest commented on Thursday, April 22, 2010 at 7:40 p.m. UTC

I use switchmap quite a bit for this. Much faster than jumping through devices... http://sourceforge.net/projects/switchmap/

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
_____ is a connection-oriented transport protocol.