Tuesday, July 8, 2008

Tracking down a computer to a location

Issue:
You have a computer on your network and need to find out where it is physically located.



Quick:
If you have Cisco switches, Telnet to your core switch and "sh arp (pipe symbol) inc IpOfMachine", Get MAC and do "sh mac-address-table address MacAddr", This tells you what port the information came from. If that port goes to another switch repeat the "sh mac-address-table address MacAddr", command on the next switch. Do this till you find the end device port.


Visual:









Learning:
Open a command window in Windows.

Ping the name of the computer to get the ip address:
>ping NameOfLostComputer (make note of the ip address)

In my example the ip address is 172.20.1.201
We have Cisco switches so I logon to our main core switch from a command prompt:

telnet 172.16.5.1 (enter password to logon)
>ping 172.20.1.201 (ping the ip you are looking to update arp table)
Here is the show arp command that I use next:

I see the entry:
Internet 172.20.1.201 1 0013.d435.3169 ARPA Vlan10

Now I need to know where the entry came from, so using the MAC address from the line above I type the command:
>sh mac-address-table address 0013.d435.3169

I see this table displayed:

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
2 0013.d435.3169 DYNAMIC Gi1/0/24


This table tells me that the MAC address of my lost computer was learned from gigabit port 1/0/24, so what is that port connected to? In my case I have a network map that shows how my switches are connected so I can use that, otherwise I would probably have to trace the cable on that port to the next switch.

You could also use the following command to get the name of the next switch
>sh cdp neighbors gi1/0/24
I see:
Device ID Local Intrfce Holdtme Capability Platform Port ID
SJSwitchGig 1/0/24 166 S I WS-C3560-4Gig 0/1

Here you see that gi1/0/24 connects to SJSwitchGig so I telnet to that switch next:
- Note to self to make a table of switch names and ip addresses or add to network map. Probably a good idea to add these switch name to DNS as well so I can telnet directly using the switch names.

>telnet 172.16.5.254 (this is the IP of the next switch according to my map)
I login and look for the MAC address of my lost computer on this switch

>sh mac-address address 0013.d435.3169

And there I see it in the following table:

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0013.d435.3169 STATIC Fa0/37

From this I see that the device is connected to Fast Ethernet port 37. This is an edge switch so from here I know that I connect to the patch panel going to the computer.
This goes to patch panel 18. Here it is handy to have a floor plan of the building with all of the patch port locations on it. From our floor plan map I was able to locate my lost computer.

1 comment:

Anonymous said...

This is the best set of instructions I have seen. I am going to post on the Cisco Board.