Node Identification

Unanswered Question
Nov 12th, 2008
User Badges:

Hi all,


Here is the scenario:


We use DHCP on our network. machine A connects and receives an IP address. We want to locate where that machine with IP x.x.x.x is connected at. How can we track the MAC (or IP) to an access port on a switch? The termination point that the node connected with is hardwired, so if we know what switch or even what port on what switch the device connected to, we would have an idea where the machine is at least getting on the network from.


Access switches are 3560

Distibution switches are 3500

Core L3 switches are 3750


Suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 11/12/2008 - 09:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a9b.shtml . This is the method by which CiscoWorks Campus Manager is able to track where an end host is connected. It first gets all the MAC to port mappings from the switches' CAM/MAC tables, then it correlates those to the ARP entries from routers. The end result is a report which displays MAC, switch port, and IP address for the end host.

kellyrudnick Wed, 11/12/2008 - 12:39
User Badges:

I thought that Solarwinds Switchport Mapper would do the same, but I have had no success. Has anyone used the switchport mapper from soalrwinds to do this?

kellyrudnick Wed, 11/12/2008 - 13:38
User Badges:

Outside of Cisco Campus Manager is there cheaper method or package?


Jon.Marshall suggested:


"Okay this is a 2 step process -


on the L3 device that is responsible for routing the vlan you are concerned with


1) sh arp | include


this will give you the IP to mac-address mapping


then on the switch you think it is connected to


2) sh mac-address-table address


Note that on a switched network when you do step 2 it may well return the link that connects to another switch. So you then need to log on to that switch and rerun step 2.


Jon"


This worked fine, but the problem is trying to determine what switch to check when you have 50 or more in the environment. Is there a way to pull or trap this information to determine which switch on the network is the one the rogue node is connected to?





yjdabear Wed, 11/12/2008 - 14:48
User Badges:
  • Gold, 750 points or more

This usually doesn't need any tool (free or not) at all.


Instead of "sh arp | include ", ping the rogue node first from the router (assuming you've done traceroute, and this router is the last hop in front of the rogue), followed by "show ip arp ". Now "sh mac-address-table address ". This should show an Interface. Then "show cdp neighbor" or "show interface" on that interface, or trace the cable to find the switch. On the switch, use "show cam " if CatOS, or "sh mac-address-table address " if IOS to locate the rogue's connected port.


Actions

This Discussion