Tracing an IP via Mac Address on Cisco Hardware
For any IT related company in ownership of IP space using Cisco hardware, it is usually good practice to assign specific subnets to clients in their own vlan, with IPv4 space becoming sparse this will usually be something as low as a /30 or even a /32. Although this makes administration a lot easier there are still companies that distribute entire /24 blocks in one vlan and distribute a few IP’s from this pool, trusting that they will only use the IP’s they have been assigned. This is all well and good however you are purely relying on trust here, and from time to time clients may attempt to take advantage of the situation and use additional IP’s that do not belong to them. There is also the scenario where you simply may have mistakenly assigned somebody the wrong IP address. Fortunately we can quite easily track the culprit port on the Cisco with a few simple commands.
The first step is to ping the IP in question from another IP within that subnet, this is important as it will show up in the arp table and display the mac address we require. Once you have sent a ping to the port in question, in windows command prompt type arp – a, in Linux simply just type arp. Arp stands for address resolution protocol and is used for resolution of network layer addresses into link layer addresses, here we will be able to see the IP we have just pinged and the mac address we have associated with it.
The next thing we need to do is login to our cisco devices, here we have logged onto our router and broke the 12 character mac address into 3 sections of 4 separated by a dot for Cisco to understand:
This shows the mac address of the server you are looking for, the formatting can vary however the formatting needed by cisco routers/switches will be XXXX.XXXX.XXXX. You can see here that the address is being broadcasted from port Gi1/8. Running a simple ‘show int status’ will reveal more information on the port if you have labelled properly.
You can then locate the server in question/stop why it appears to be broadcasting an IP that does not belong to them, all very simple and will quickly resolve any IP conflicts that could be effecting you or your clients.