Every now and then, our anti-virus infrastructure will let a bug slip through the cracks. Sometimes, a user installs software at home on their laptop and decide to plug it into your network. This might cause your network intrusion protection systems to go a little nuts. You might have to find that computer and what port it is plugged into on your switch. That might seem easy if you have a small network, but what about when your network is large. Sounds daunting, but luckily it is quite easy. I had to do this recently and thought I’d document my steps for others.
ASSUMPTIONS: I am using an entire cisco switch infrastructure with cisco routers.
- Secure Shell to your router or switch (You don’t still use telnet, do you?)
- Ping the IP address you need to find (IE: ping 192.168.1.1).
- Lets find out what the MAC address is by issuing this command with the IP address: show arp | include IPADDRESS
- Now, you know the MAC address of the machine in question. Now, we need to know what VLAN it is on and/or what port that device is sourced from. Issue this command: show mac-address-table | include MACADDRESS
- Now, you know what VLAN it is on (You probably already knew that) and what port it is sourced on (IE: gig 2/1). What is the device on gig 2/1? Issue this command: show cdp neighbor gig 2/1 detail.
- Now, if 2/1 is another switch you know the IP address of that switch. Repeat steps 1 – 5. Continue until the MAC address is on a switchport which is not a trunk port or another switch. When you find it, that’s the port your device is on!
Happy Hunting!!
Other Links: