How to find a host by it’s MAC address
Read this article in Russian
In everyday work, it’s often necessary to determine the switch and port a user or device is connected to. To do it, you don’t have to look for it visually. All you need is to know its MAC address.
The point is that each switch stores information about all MAC addresses that showed at least any network activity in the last few minutes. Your task is to use this information wisely.
So, let’s say you need to find the switch port a user John is connected to. It’s known that the IP address of his computer is 192.168.10.100
There are two possible ways of how you can determine the MAC address:
- To execute the ipconfig /all command in the command line on the user’s computer
- To learn the MAC address remotely if you know the user’s computer IP address. It’s possible if you have access to a Cisco router or Cisco ASA firewall which is the default host gateway. The ARP table on these devices will contain the compliance of the MAC and IP addresses.
For searching, use the sh arp | inc x.x.x.x command, where x.x.x.x is the IP of the host we need.
R-DELTACONFIG-1# sh arp | inc 192.168.10.100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.10.100 236 78ac.c0bb.74f2 ARPA Vlan10
As we see, the device with the 192.168.10.100 IP address has the 78ac.c0bb.74f2 MAC address and is located in VLAN 10.
Having determined the device’s MAC address, you can keep on searching for its direct location on the switch.
The show mac address-table command (it can sometimes be written with an additional hyphen instead of a space, like this: show mac—address-table) shows the MAC address table of all active devices that are connected to the switch.
SW-DELTACONFIG-1# sh mac address-table
Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 1111.1111.1111 DYNAMIC Fa0/1
2 2222.2222.2222 DYNAMIC Fa0/2
3 3333.3333.3333 DYNAMIC Fa0/3
4 4444.4444.4444 DYNAMIC Fa0/4
Usually, there are a large number of records shown at this table. For more convenience, you can filter the necessary МАС address. Usually, four last symbols will be enough. In our case, search for the 78ac.c0bb.74f2 MAC address looks so:
SW-DELTACONFIG-1#sh mac address-table | inc 74f2
10 78ac.c0bb.74f2 DYNAMIC Gi0/1
The output line shows that the host is located in VLAN 10 and is connected to a port of the Gigabitethernet 0/1 switch.
If you have a small office and all network is organized only using one switch, your search is finished. But if there are several switches in the network, it’s possible that you found not the final one. Sometimes, another switch is connected to the found port of the current switch. In this case, you should repeat search in the MAC addresses table of the neighboring switch.
If you have several switches in your office, use the sh cdp neighbors command to determine the name and address for running the neighbor switch. The command will show you names and related ports of all the Cisco switches that are connected to the current switch. The sh cdp neighborsdetail command will additionally show the IP addresses for controlling the neighbor switches.
SW-DELTACONFIG-1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Gig 0/1 123 S I WS-C3560G-Gig 0/18
Device ID (SW-DELTACONFIG-2) – the name of the neighbor device
Local Intrfce (Gig 0/1) – the local interface where the neighbor switch is connected to
Port ID (Gig 0/18) – the interface of the neighbor switch.
SW-DELTACONFIG-1#sh cdp nei detailNow you should connect to the neighbor switch SW-DELTACONFIG-2 with the running address 192.168.1.202 and find the necessary MAC address there.
Device ID: SW-TEST-2
IP address: 192.168.1.202
Platform: cisco WS-C2960-24TT-L, Capabilities: Switch IGMP
Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet0/18
Holdtime : 144 sec
With proper skill, this method will allow you to find hosts in a network of any size in no more than a couple of minutes without evenstep away from your workplace.