Is it possible to match an internal IP address to a switch port?

Question

I'm trying to find a computer that has a certain IP address on our internal network. I have identified the computer name from DNS, but in this case it does not help me.

Just wondering if I can somehow tie the IP to a switch port, and track it from there? If so, how?

score 15 · Accepted Answer · answered May 20 '09 at 22:24

Given an IP address, you should be able to find the MAC address of the corresponding host.

arp -a

On both Windows and Linux will show you the arp cache of that host, mapping IPs to MAC addresses. (Note that this will need to be run on a machine that is on the same IP subnet as the machine you are trying to find).

Once you have the MAC address, log on to the switch you suspect the rogue host is connected to, and search the MAC address table for that address. (The MAC address table is also called the bridging table, or the CAM table).

For example, on Cisco IOS based switches, the following command:

show mac-address-table address <MAC address>

Will show you the port that a given MAC address was last seen on. If the resulting port is a link to another switch, log on to that switch and run the command again. Repeat until you end up with a host port, and you should have your culprit.

Note that this approach will only work if you have a managed switch that allows its MAC address table to be queried. Failing that, it's going to be a case of manual elimination; find each port that you know isn't the rogue machine, until you're left with one port your can't account for. Good luck.

score 5 · Answer 2 · answered May 20 '09 at 22:25

As others have mentioned, there is no direct way to determine what IP is connected to a certain switch port. The reason is that an Ethernet switch works at L2 of the OSI Model, and typically does not inspect higher level layers (Layer 3 -> IP Address). (There are some exceptions in newer hardware)

One important note, to use the ping / ARP trick you'll need to use a device on the same VLAN or subnet as the device you are searching for. Otherwise, you will only see the MAC address of the default gateway in the ARP table.

Here's the procedure I recommend, if possible.

Source and Destination on the same VLAN

Issue a ping to the device you are trying to locate.
Once it returns successfully, look in the ARP table to find the MAC address of said device.
Log onto the switch itself and look through the MAC address table for the address found in step 2. (The MAC address table can also be called a CAM table). The MAC address table provides a mapping of MAC addresses to switch ports.

Source and Destination on different VLANs

From the core router or suspected default gateway, issue a ping. Obviously, this works best if all routing is done on the same device.
If there are multiple L3 interfaces, you might need to "walk" through the network going from L3 interface to L3 interface performing the ping / ARP check until you find the one that serves as the default gateway for the device you are searching for.
Once you find it, you can then log into the switch and search the MAC address table to find the port.

l0c0b0x · Answer 3 · 2013-01-14T18:03:38.297

3

Check the ARP cache on your switch(es) to find the MAC and Switch Port associated with that IP of the device. This articles should help you:

edited Jan 14 '13 at 18:03

answered May 20 '09 at 22:04

l0c0b0x

11,697
6
46
76

3

A minor detail - ARP caches are found on L3 devices (routers, hosts), and will provide only the MAC address associated with the IP. MAC address tables (or CAM tables) will then allow the MAC to be mapped to a physical port. – Murali Suriar May 20 '09 at 22:55
The second link gives just an error. – Lauritz V. Thaulow Jan 14 '13 at 09:48
@lazyr error link fixed. – l0c0b0x Jan 14 '13 at 18:04

score 1 · Answer 4 · answered May 20 '09 at 22:08

You didn't specify which operating systems you have available to you on the network, but most of them have an arp command. You can use the arp command to find out what the MAC address is of a host with a give hostname (assuming you are on the same network as the host).

Then you have to check in the ARP caches of your switches to find what port that MAC address is on.

score 1 · Answer 5 · answered May 20 '09 at 22:09

There is no 1:1 mapping between physical interfaces and IP addresses. One port on a switch may handle traffic for many machines (if another switch is daisy chained), and one switch port may forward traffic for more than one IP (if the machine is multi homed).

If you have a sufficiently advanced switch you can look in the management screens of the switch to see if it lists MAC addresses that it has heard on a particular port.

Alternatively, assuming the computer you wish to find isn't too far away (logically) you could try sending a large amount of traffic to it, say ping -f, which should allow you to trace the port the machine is on by looking at the activity lights.

score 1 · Answer 6 · answered Jun 02 '09 at 14:34

1

If the switch supports snmp, you can get mac table information remotely, which should have the mapping of physical port and mac address connected to the port.

answered Jun 02 '09 at 14:34

tomoe

430
2
5

We use this and a few scripts to populate a live database table of what IP's have been seen on the network and where we saw them. Cross-reference that with a switch-port/wall-jack database, and we can get physical location too. – sysadmin1138 Jun 02 '09 at 14:40

Is it possible to match an internal IP address to a switch port?

6 Answers6

Linked