How to Track Down a Computer on Cisco Networks
Here is the method for quickly finding where a specific computer is connected to a corporate network. These examples are for Cisco catalyst switches, although most switches that are manageable have similar commands.
Find the MAC Address
If you have physical access to the computer, then you can determine the MAC address by using the command ipconfig /all at the command line. The MAC address is called Physical Address in this command.
Without physical access to the computer, the best way to determine the MAC address is by looking at your router's ARP table. A MAC address is a unique 32-bit hexdecimal address unique to every network interface card. It is mostly hidden by IP addresses and DNS names, but once you have the mac address of the computer offending you, it is only a matter of time until you find out where it is connected.
Today, we are looking for the computer at IP address 172.29.15.223. Use the show arp command. ARP is the connection between the IP address and the physical mac address.
Step1: Find the MAC address on the router
Router1>show arp | i 172.29.15.223
Internet 172.29.15.223 0 0011.432e.0f77 ARPA Vlan15
Next, use the show mac-address-table command on the switch to find out where the switch thinks the computer is located.
Step 2: Track the MAC address
Router1>show mac-address-table address 0011.432e.0f77
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
Module 1:
* 15 0011.432e.0f77 dynamic Yes 0 Te1/5
The switch output tells us that the computer is seen on port Te1/5 (Te stands for TenGigabit), but we need to verify that this is not an uplink to another switch. Use the show cdp detail command in order to see if there is another switch. In this case, there is.
CDP stands for Cisco Discovery Protocol and is the way Cisco switches share connection information. There is a lot of output from this command, but notice the Device ID and IP address lines. This shows the connecting switch's IP address and its name.
Step 3: Find the downstream switch
Router1>show cdp nei te1/5 detail
-------------------------
Device ID: Switch2
Entry address(es):
IP address: 172.29.15.2
Platform: cisco WS-C4506-E, Capabilities: Switch IGMP
Interface: TenGigabitEthernet1/5, Port ID (outgoing port): TenGigabitEthernet1/1
Holdtime : 163 sec
Version :
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-LANBASEK9-M), Version 12.2(50)SG2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 16-Mar-10 05:25 by prod_rel_team
advertisement version: 2
VTP Management Domain: ''
Native VLAN: 1802
Duplex: full
Management address(es):
IP address: 172.29.15.2
Next, log into the connecting switch and use the show mac-address-able command again.
ssh 172.29.15.2
Step 4: Track the MAC address again
Switch2>show mac-address-table address 0011.432e.0f77
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
15 0011.432e.0f77 dynamic ip,ipx,assigned,other GigabitEthernet2/3
This switch shows the computer connected to port GigabitEthernet2/3. Run the show cdp neighbor command again. If the command does not show another switch, then the computer should be directly connected to this port. Lastly, verify that the computer you are looking for is the only device connected to that port. Taking this last step will eliminate missing another switch because cdp is misconfigured or a small unmanaged switch like something bought at a computer store is not connected. If the computer you are looking for is directly connected, then it will be the only entry in the show mac-address-table dynamic command.
Switch2>sho mac address-table dynamic int gig2/3
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
15 0011.432e.0f77 dynamic ip,ipx,assigned,other GigabitEthernet2/3
Finally, we can disconnect the computer by turning off it's switch port by using the shut command.
Switch2>en
password:
Switch2#conf t
Switch2#(config) int gig2/3
Switch2#(config-int)shut
Switch2#(config-int)end
Although this computer was connected to a nearby switch, the computer in question could be several switch connections away. In that case, repeat steps two and three. Refer to www.Cisco.com for more information.
Published by Jinx
IT guy by day View profile
- Find the MAC Address on Popular DevicesThis tutorial will show you how to set up MAC Address Filtering on your wireless router and find the MAC Address on Windows, Macintosh, Wii, PS3, Xbox 360, Nintendo DS, PSP, iPhone, BlackBerry and TiVo.
Using Anonymous Web Proxies to Hide Your IP AddressThe first of a series of articles I am writing about Internet security and staying safe online - Part I - how to hide your IP.- What is an IP Address and How Can I Find, Replace, or Renew It?This guide will help explain what an Internet Protocol Address is and will also help you manipulate it.
Top 8 Computer Virus HoaxesHere are 8 computer virus hoaxes the general public thought were real virus alerts but were dubbed hoaxes by internet security firms.
Computer Virus: Alert from the USPSThe United States Postal Service has sent a warning about a virus lurking in a seemingly happy email about an attempted or intercepted package delivery. It is a hoax, and not fr...
- Tracking Down a Computer Address Over a Network
- Help for a Computer Virus Attack
- Advanced Computer Virus Safety Tricks Part 2
- Advanced Computer Virus Safety Tricks Part 1
- Tech Gone Mad: First Man in History to Catch a Computer Virus
- What is My IP Address?
- Happy Birthday - The Computer Virus Turns 25