There are times when I need to identify a host connected to a switch and I’m unable to because the switch port description is nondescript or blank. Checking the physical connection isn’t always necessary and sometimes impractical when remote equipment is involved. From my desk, there are some basic troubleshooting commands that are useful for identifying connected hosts. I will outline the use of these commands and how easy the process is.
Find the MAC address
First, login to the switch where the device is plugged in. Note the port it’s plugged into. Then, issue the following command:
Switch#show mac-address-table interface fa0/1 Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 aaaa.bbbb.cccc DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 1
As you can see from the output, the MAC address on fastethernet 0/1 is aaaa.bbbb.cccc.
Find the IP address
Login to the router that is the default gateway for the host we’re identifying. From the router, issue the show arp command and pipe (|) it with the MAC address from the previous step to refine the results.
Router#show arp | include aaaa.bbbb.cccc Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.50 5 aaaa.bbbb.cccc ARPA FastEthernet0/0
Now we have the IP address – 192.168.1.1!
Sometimes the router does not return anything. This may happen if I’m logged into the wrong router or if the device hasn’t sent any traffic recently and the ARP entry aged out of cache. In these situations, I’ll typically go back to the switch and bounce the port by issuing the shutdown then no shutdown commands. This may be enough to generate some traffic on the port and consequently populate the arp cache on the router.
Now that the IP address of the device has been identified I’ll use nslookup to see if there is a PTR record for 192.168.1.50.
First, I’ll type the nslookup command, and then the DNS server’s address:
user@ubuntu:~$ nslookup > server 192.168.1.10 Default server: 192.168.1.10 Address: 192.168.1.10#53
Next, I’ll type the IP address that I’m looking up:
> 192.168.1.50 Server: 192.168.1.10 Address: 192.168.1.10#53 18.104.22.168.in-addr.arpa name = hr1.corpnet.com.
DNS server 192.168.1.10 returned hr1.corpnet.com. as the fully qualified name for 192.168.1.50. I can now label my switch port appropriately.
If the reverse lookup resulted in a name that I didn’t recognize or no name at all, there are a few more things I can do before heading to the networking closet to track down the device:
- RDP or VNC to the IP. The device may be remotely accessible.
- Port scan the device. If any ports are open, like 22 or 80, I will try SSH’ing to the IP or typing it into my browser. Some port scanning software also has fingerprinting capabilities and may be helpful in determining what the device is.
If I’m still unable to determine what the host is, I’ll head to the networking closet to track down the device.
The show mac-address-table and show arp commands are extremely useful IOS commands that I use almost daily. There are plenty of scenarios in which these commands are applicable. I would recommend getting familiar with the different variations of these commands and how they can help you track down hosts on your network.
Variations of show arp and show mac-address-table include:
Router# show arp | inc a.b.c.d Router# show ip arp a.b.c.d
Both commands return an ARP entry for IP a.b.c.d. The first command is useful if you want to find a partial match (i.e. IPs starting with 192.168.1.)
Switch# show mac-address-table address aaaa.bbbb.cccc
I use this when I know the MAC address of the device and need to find the interface the host is connected to.