Networking

How to determine what device is on what port on your Cisco switch

When your network is in crisis, it's important to know which device is connected to which switch port without having to run to the network room. David Davis discusses network analysis applications and switch port mapping tools that you want to have in place before you're in crisis mode.

Your network grinds to a screeching halt. All the switch port lights are solid, and your only theory is that the network is under attack. What do you do?

The first step is to fire up your network protocol analyzer and capture data off of the core switch. From your protocol analyzer, you see that an IP address is flooding the network with unidentifiable traffic. From the packet, you get the MAC address. Now you need to find the location of the PC.

You know that the PC must be connected to any one of a few hundred Ethernet patch panel ports in the network room; those switch ports go to ports on the Ethernet switch. If you could tell which MAC address is on which switch port, you could identify the PC and either shut down the switch port or go to the office where the PC is and shut it down.

Here are various solutions that may help you determine which device is connected to which port on your Cisco switch.

An appliance solution

At Interop 2007, I spotted an interesting solution from porttracker. The U. K.-based company offers a dedicated appliance called porttracker that maps your network for you. This solution tries to solve three issues: (1) ports going unused (porttracker refers to this as port wastage); (2) reduce downtime and know "what is connected where"; (3) identify at-risk ports.

Software applications

There are a vast number of software applications out there to help you in this situation. Here are a few that I think are worth checking out.

  • Northwest Performance Software's Managed Switch Port Mapping Tool uses SNMP to communicate with switches and to find out what is attached where. It works with different brands of switches; it shows VLAN assignments; and it exports to a spreadsheet. The standalone price for the tool is $199, and there is 15-day free trial.
  • ManageEngine offers the Switch Port Mapper Tool, which handles multiple brands of switches and imports cable port mappings. See the ManageEngine site for detailed pricing information.
  • Netxar Technologies' SwitchInspector maps switch ports. The cost is $99, and there is a 15-day trial download.
  • SolarWinds' LANsurveyor automatically discovers and diagrams your network and what is connected where. It does more than the other packages, which is why it has a price tag of $1,995.
  • SolarWinds' Switchport Mapper is similar to LANsurveyor, and it's part of SolarWinds' Engineer's Toolset. The suite runs about $1,400, and the company offers a 30-day evaluation.

Note: My search didn't turn up any free open-source products. If you know of any open source products that map switch ports, please post your recommendations in the article discussion.

The Cisco IOS CLI command

The easiest way to see which Ethernet MAC address is on which port is to use the show mac-address-table command. Here is an example:

switch# show mac-address-table
          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

   1    0007.e9e2.2d7d    DYNAMIC     Fa0/5

   1    0009.0f30.07e9    DYNAMIC     Fa0/48

   1    0009.5bbc.af04    DYNAMIC     Fa0/28

  1    00e0.bb2c.30d1    DYNAMIC     Gi0/1

   1    00e0.bb2c.3e5f    DYNAMIC     Gi0/1

Total Mac Addresses for this criterion: 5

Switch#

(The MAC address table is truncated for brevity.)

With the command, you can figure out which MAC address is on which port. When you use the command, you have to go to each switch and run the command. If the network is down, you will have to go to the console of each switch. If you had one of the applications above, you should have been able to map out which MAC address (and even which PC name) is on every switch in the network.

If the scenario I describe at the beginning of the article does happen, you could reference your spreadsheet or printout of which device is connected where.

Summary

When your network is in crisis, it's important to know which device is connected to which switch port without having to run to the network room, hook up a console cable, and/or trace cables from switches to wall ports. By having network analysis applications and switch port mapping tools available ahead of time, you may be able to resolve the problem on your network before it actually becomes a crisis.

David Davis has worked in the IT industry for more than 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

37 comments
paulroberts
paulroberts

I've noticed porttracker now supports non-Cisco kit, they also now support LLDP as well as CDP. From their web site: v2.1 new features: * An increase in the number of supported vendor switches to include Nortel Baystack and Huawei Networks in addition to HP Procurve, 3Com, Cisco and Extreme Networks

rbandyo
rbandyo

How to determine what device is on what port on your HP Procurve switch? Is it same? If not, please it.

stevej
stevej

Many core switches use the COS operating system not IOS. Good commands to know in COS are: show cam [mac_address] show cam dynamic [port_number]

jrensink78
jrensink78

CiscoWorks also is useful for finding what port a user is connected to. It has a User Tracker feature that you can do searches on using many criteria (IP, MAC, host name, etc). It's not real-time info, but it's pretty reliable unless your users are extremely mobile. If you have a well designed network, you can usually just track it down using the 'show mac-address-table" command once you know the MAC address. Start at the core, and you should only have to go one or two switches out to find the port. Obviously if you can't remote in, this is not a desirable method. Lastly, it can be nice to identify the user associated with the PC. If your users are like mine, they will just plug their PC into a different network block once you shut down their port or switch to wireless on laptops. I will use a Microsoft SMS query to identify the PC name and last logged in user so I can call them. An alternate method is looking up the MAC address in your DHCP management console or logs to identify the computer. Again CiscoWorks will also give me their computer name.

wepollak
wepollak

Hi: I do a Ping on the IP address of the device, then I do an show arp to identify the mac addresss of the device, then I do a show mac-address with the mac address i learned in from the arp.

georgeou
georgeou

That's why I always label my ports when I set it up. That way the names that I picked automatically come up in SNMP management tools and it makes the job a lot easier. You don't need "documentation" that no one can find and read, the stuff is already in the configuration.

res0p9px
res0p9px

finding any info other than the hp manual from the hp site??

gjohnson
gjohnson

I'm suprised no one mentioned this. After you've captured the traffic and identified the IP address that is causeing the problem, look in the DHCP server and bingo, you know what machine is causing the problem. Look in the docs and you know what port that machine is connected into.

david.waters
david.waters

As shown in the original article once I know the mac address of the offending machine I use the show mac-address-table but I add the end portion of the mac address and pipe through the include. So if I have a mac of afbe.17e2.bf12 I frame the command like so: show mac-address-table | i bf12 This gives me only the port with the offender attached.

jrensink78
jrensink78

The ping/ARP combo only works if you are on the same VLAN I believe. If you are spanning VLANs, and the problem is a Windows box, you can also do an nbtstat command to discover the MAC address.

asanabria
asanabria

I wrote this script http://www.linuxdynasty.org/howto-find-the-port-on-a-switch-that-a-host-belongs-to-the-easy-way-part-1.html This script will do 1 of 4 things for you... 1. Scan a switch for a IP address and report what Port it is plugged into 2. Scan a switch for a MAC address and report what Port it is plugged into 3. Scan a Port on a Switch and find out what MAC Addresses/IP Address are plugged into it. 4. Scan a switch and report every MAC/IP/VLAN..etc that is plugged into every port. This is a Python script so it will run on Linux with just a few modifications. This will run on windows as well but with a few more steps involved. The instructions are on m site. I'm also in the process of turning this script into a windows exe file.

bouska
bouska

I'am using opensource monitoring tool (primary SNMP) http://cacti.net/. And there is plugin MACtrack which works nice.

bill.friday
bill.friday

Does a nice job of associating the macadress, IP and name of system in one command. Thanks, Bill

merlinpr
merlinpr

http://www.zenoss.com/ This is a Network Management System but it has a feature that might help with this. Once you add the device it will list all of it's interfaces with IP address (if L3 or a VLAN), MAC address, and description (if you labeled it on your device). This tool is highly customizable allowing you to create custom parts. I for example am working on a script to allow me to use CDP to get the hostname of the device plugged in to an interface (in the case of switches and phones).

speculatrix
speculatrix

whilst you can use cisco discovery protocol to map your network, this doesn't help find servers. procurves understand CDP and also LLDP, and there's an LLDP daemon you can install on unix/linux which means your switches can then determine what's connected.

option12
option12

I use: traceroute mac ip GATEWAYIP IPTOFIND try that from the relevant layer 3 device. Of course that can be complicated on larger networks, but our IP ranges are well enough organized that I can get to the right layer 3 pretty quickly most of the time. It does have trouble with bridged vlans, and I use it on an all cisco network...

lesko
lesko

we do our labeling based on which cable closet the ports go, which rack in that cable closet, which panel in that rack and which port in that panel. Then we have a spreadsheet with a table that maps that port with another label that shows the building, the floor in the building and the grid in the building based on pillars so when the walls move you can still find it. for example closet 1, rack 1 panel A port 42 the label would be config_if#description 11A42 the label is in both the user side and the closet side so when the user phones you can just ask them port tell you the port number they are in and you know where they are if you are the one tracking them down you can look at the port label and check it with the building grid table and you know how to track the user down. You could also add the building grid in the label also hope this helps someone out there planning on organizing their network or someone just starting fresh

biton.walstra
biton.walstra

what's wrong with: AR05Z2#sh mac-address-table address ? H.H.H 48 bit mac address AR05Z2#sh mac-address-table address xxxx.xxxx.xxxx.xxxx this gives you the port where that mac address (xxxx.xxxx.xxxx.xxxx) is connected to...

Photogenic Memory
Photogenic Memory

Apologies for the confusion. When you login and configure an interface; it does allow you to set description for it like this.: config#config-t config#int e0 config-if#descrip peanutbutter Is that what you meant? I definitely know a label maker can help aswell, LOL! Can you set specific descriptions for VLAN interfaces too? I need a cluepon here. Thanks.

kaumell
kaumell

On gutsy gibbon, I'd like to know how to enable it to discover attached devices. No IP's show up under the device. Description does.

christian.sablock
christian.sablock

Absolutely nothing! There's several ways to accomplish the task. The blogged example being the least useful.

lesko
lesko

config#vlan 1 config#name do_not_use_this_vlan can't have spaces in vlan names I dont remember how to do it the old way (VLAN database outside the config more)

Navy Moose
Navy Moose

That is how I label ports on switches. I don't remember if you can label VLAN interfaces.

creature361978
creature361978

i need complete help for installing net disco on redhat I am new to linux

kaumell
kaumell

Wow. Thanks a million - that helps me consolidate the number of things I look at every day.

btran
btran

I have pretty successful with NetDisco. Not only you can map ports, you can enable and disable it fairly easy. If you know a MAC or IP of the device, you can search for it in matter of seconds... Best,

merlinpr
merlinpr

To discover devices you have to options. If you have SNMP working on your zenoss box you can follow these instructions: http://www.zenoss.com/community/docs/zenoss-guide/2.1/ch09s06.html Otherwise you can do this (which is the way I did it): 1. Click on Networks (under Browse By) and add your networks using CIDR notation. 2. Open a terminal on your Zenoss server and do the following: a. Login as the zenoss user b. cd to /usr/local/zenoss/bin c. run "zendisc run --net=0.0.0.0 (NOTE: replace the 0s with the subnet you're scanning and do it with all of them one by one) 3. You can now go to devices on your zenoss page. All devices will be listed under the Discovered class. You can individualy add them to a different class if you'd like. What I did was to add my switches, routers, and servers manually and then used zendisc to scan the network for computers.

nolan
nolan

write your own app? That's what we did. We have a database with all the assets, and another that runs php that queries the boxes via snmp and returns the port and what mac address is associated with each. In the database, you map the mac address with the asset information and voila` you have everything you ever wanted. With this method, I can tell you when someone plugged in, plugged out, how long they stayed, where, etc.

bart.thoen
bart.thoen

For those of you who would like to use spaces in their Vlan names/interfaces descriptions; one can actually use spaces after all if you put the name between "". For instance: config#vlan 1 config#name "Spaces allowed!" results in a vlan name being 'Spaces allowed!'

PetersML
PetersML

switch# vlan database switch(vlan)# vlan 2 name sales switch(vlan)# exit switch# When you create your vlan under "vlan database mode", you can add a descriptive name to the vlan.

briandao
briandao

yes you can put desc on vlan int just as you would to hp's procurve

pbraunsc
pbraunsc

I manage a metro area network with switches located in over 100 facilities throughout our small community. We are very fortunate to have Ciscoworks which is not an inexpensive product but can pay for itself in short order. One of the tools ?User Tracking? continually monitors all ports, IP and Mac address traffic using the ports. You can at any time search the data base to find who is using what port anywhere on the network. This system continually monitors changes, documents, tracks IOS, upgrade IOS configurations and changes. Error reports are generated letting you know areas that need attention. I know companies that have this product and administrators do not take the time to learn the functions. With resources being limited this tool is like having an extra staff person working for you 2 hours per day. I am able to manage the large metro network supporting over 5000 users and 1000+ VoIP phones on the network. This is done with Ciscoworks and me.

paul.malmquist
paul.malmquist

Yes, you can add description to any interface, including VLAN interfaces.

avpascal
avpascal

IIRC on HP Procurve managed switches you can assign whatever name / description you like for the defined VLANs. I'm not sure about Cisco though - I only used a 2950T a couple of years ago, and I didn't mess with it again once I put it in place.

Editor's Picks