If you have a big network, it is crucial to know where things are. Besides switches and servers, you also need to know where clients are. In fact, it is common for users to complain about network problems. When this happens, you may need to know where the user is in the network, or knowing the switch and the port where the user is. This is possible by looking at the MAC address table and the ARP table of a switch. With them, you can locate any device in the network in seconds.
In this article, we find the position of a device in the network starting from its IP address.
How to find a device with MAC address table and ARP table
This procedure applies to any network device, of any vendor. However, we will see the commands only for Cisco – if you have a different vendor just look for the equivalents.
- Connect to the device that acts as default router for the target network and ping your target IP.
- Use
show ip arp | include, where<IP>is the IP of your target device. Here, you will see the MAC address of such device, then: - Use
show mac address-table address <MAC address>, where the<MAC address>is the one we found in the previous step. This will tell you a port of the switch. - Check if you have some switches connected to that port with
show cdp neighbor detail. Here, use the port we found in the previous step. If this command outputs something, it will also tell you the management address of the switch connected. In this case, connect to that switch and repeat from Step #3. - If you see no output from the previous step, probably the device is right there on this port. Use
show mac address-table interface <port>and check how many MAC addresses you see. If it’s just one, you found the device. Otherwise, it might be behind a switch which is not manageable, or on a virtualized host like VMware ESXi.
And this is it! Still confused? Don’t worry, we will cover all these steps in detail just below.
Finding a device, the details
Connect to the default gateway
It is important we get the first step straight, otherwise we won’t go far. It is mandatory to connect to the default gateway. This device is the one all devices in the network sends traffic to when the want to communicate with the outside world. Furthermore, it is a device in that network you (as a network administrator) have access to.
Being in the same network means being able to see MAC addresses, and knowing MAC addresses allows you to locate the devices. If you connect to any other device, it might not have this detail in the ARP table, and you won’t go any further.
Check the ARP table
Now that we are on the correct device, we need to ping our target IP address. This is important because the device might have been silent for a while. If the device was silent, the switch may have removed its MAC address from the ARP table. Instead, we ensure it is there by pinging it: we wake him up. If it does not ping, there is nothing we can do. We need to inspect the device and get the MAC address from it.
After pinging, you can check the ARP table with show ip arp | include . Imagine our target IP is 10.43.11.91, we can do the following.
Dallas-CORE# show ip arp | include 10.43.11.91 Internet 10.43.11.91 0 0007.ECB2.7A02 ARPA GigabitEthernet0/1 Dallas-CORE#
Here, we are looking at the MAC address, the one with the notation XXXX.XXXX.XXXX. Don’t be fooled by the interface, this is not necessarily the interface where the device is connected. It is just the interface the MAC address comes from. Furthermore, not all devices will have the same output, but they will all give you IP and MAC address at least. Here, we found the MAC address 0007.ECB2.7A02.
Check the MAC address table
The next step is to identify where the MAC address is coming from. We can do that by checking the MAC address table with show mac address-table address <MAC address>, or 0007.ECB2.7A02 in our case. The output will be something like the one below.
Dallas-CORE# show mac address-table address 0007.ECB2.7A02
Mac Address Table
---------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
11 0007.ECB2.7A02 DYNAMIC Gi0/1
Dallas-CORE#
The syntax may be different from model to model. Some devices may want mac-address-table, others mac address-table. Some may want the address keyword, some others may not. Find the way yourself by using ? if needed. Here, we are looking at the port, which is Gi0/1. With that, we can go to the next step.
Checking the CDP neighbors
Now we know where the traffic from this device is coming from. However, we are still not sure if the device is directly cabled in that port or not. We need to be sure of that, and we can do that by checking CDP. CDP is a Cisco-proprietary protocol that allows you to discover other Cisco devices in the network, if they are directly connected. If we have no neighbor, show cdp neighbor detail will show no output. Otherwise, it will look like this:
Dallas-CORE# show cdp neighbor detail gi0/1 -------------------------- Device ID: Dallas-DIST01 Entry address(es): IP address: 10.30.0.11 Platform: Cisco 3750, Capabilities: Router Switch IGMP Interface: GigabitEthernet1/0/1, Port ID (outgoing port) GigabitEthernet0/1 Holdtime: 43 sec Version: Cisco IOS Software, 3750 Software (C3750-K9-M), Version 12.4, RELEASE SOFTWARE (es9) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled 06-Mar-09 15:38 by prod_rel_team advertisement version: 2 VTP Management Domain: 'Dallas' Dallas-CORE#
Here, we are looking at the management address, which is 10.30.0.11. Now, we can connect to this device and repeat the process from checking the MAC address table.
Another thing you can do to ensure there is just this device connected on a port is checking the MAC address table for that port. Instead of checking it for MAC address, you check based on the port. If you see just one MAC address then you are safe to go, otherwise you may want to check the device physically.
Important Note: CDP works only between Cisco devices and may be turned off. If you don’t have Cisco, you may use LLDP (standard), but not all devices support it and most don’t have it enabled.
If you want to know more about CDP, we have an article on it.
Finding the device
If the previous check returned no output, then you already know the port. It is the one you obtained by checking the MAC address table. Now you can do all the checks you need, and hopefully contact the user to say it’s not a network issue!
Wrapping it up
Finding a device on a network is simple, and you can do that in seconds by following this technique. Furthermore, this technique is extremely methodic and you can even automate it with a script. What do you think about that? Do you use this approach? Automating it will save time for you and your organization? Let me know in the comments!
