Tuesday, July 8, 2008

Tracking down a computer to a location

You have a computer on your network and need to find out where it is physically located.

If you have Cisco switches, Telnet to your core switch and "sh arp (pipe symbol) inc IpOfMachine", Get MAC and do "sh mac-address-table address MacAddr", This tells you what port the information came from. If that port goes to another switch repeat the "sh mac-address-table address MacAddr", command on the next switch. Do this till you find the end device port.


Open a command window in Windows.

Ping the name of the computer to get the ip address:
>ping NameOfLostComputer (make note of the ip address)

In my example the ip address is
We have Cisco switches so I logon to our main core switch from a command prompt:

telnet (enter password to logon)
>ping (ping the ip you are looking to update arp table)
Here is the show arp command that I use next:

I see the entry:
Internet 1 0013.d435.3169 ARPA Vlan10

Now I need to know where the entry came from, so using the MAC address from the line above I type the command:
>sh mac-address-table address 0013.d435.3169

I see this table displayed:

Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
2 0013.d435.3169 DYNAMIC Gi1/0/24

This table tells me that the MAC address of my lost computer was learned from gigabit port 1/0/24, so what is that port connected to? In my case I have a network map that shows how my switches are connected so I can use that, otherwise I would probably have to trace the cable on that port to the next switch.

You could also use the following command to get the name of the next switch
>sh cdp neighbors gi1/0/24
I see:
Device ID Local Intrfce Holdtme Capability Platform Port ID
SJSwitchGig 1/0/24 166 S I WS-C3560-4Gig 0/1

Here you see that gi1/0/24 connects to SJSwitchGig so I telnet to that switch next:
- Note to self to make a table of switch names and ip addresses or add to network map. Probably a good idea to add these switch name to DNS as well so I can telnet directly using the switch names.

>telnet (this is the IP of the next switch according to my map)
I login and look for the MAC address of my lost computer on this switch

>sh mac-address address 0013.d435.3169

And there I see it in the following table:

Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0013.d435.3169 STATIC Fa0/37

From this I see that the device is connected to Fast Ethernet port 37. This is an edge switch so from here I know that I connect to the patch panel going to the computer.
This goes to patch panel 18. Here it is handy to have a floor plan of the building with all of the patch port locations on it. From our floor plan map I was able to locate my lost computer.

1 comment:

Anonymous said...

This is the best set of instructions I have seen. I am going to post on the Cisco Board.