Is it possible to match an internal IP address to a switch port?

Solution 1:

Given an IP address, you should be able to find the MAC address of the corresponding host.

arp -a

On both Windows and Linux will show you the arp cache of that host, mapping IPs to MAC addresses. (Note that this will need to be run on a machine that is on the same IP subnet as the machine you are trying to find).

Once you have the MAC address, log on to the switch you suspect the rogue host is connected to, and search the MAC address table for that address. (The MAC address table is also called the bridging table, or the CAM table).

For example, on Cisco IOS based switches, the following command:

show mac-address-table address <MAC address>

Will show you the port that a given MAC address was last seen on. If the resulting port is a link to another switch, log on to that switch and run the command again. Repeat until you end up with a host port, and you should have your culprit.

Note that this approach will only work if you have a managed switch that allows its MAC address table to be queried. Failing that, it's going to be a case of manual elimination; find each port that you know isn't the rogue machine, until you're left with one port your can't account for. Good luck.

Solution 2:

As others have mentioned, there is no direct way to determine what IP is connected to a certain switch port. The reason is that an Ethernet switch works at L2 of the OSI Model, and typically does not inspect higher level layers (Layer 3 -> IP Address). (There are some exceptions in newer hardware)

One important note, to use the ping / ARP trick you'll need to use a device on the same VLAN or subnet as the device you are searching for. Otherwise, you will only see the MAC address of the default gateway in the ARP table.

Here's the procedure I recommend, if possible.

Source and Destination on the same VLAN

  1. Issue a ping to the device you are trying to locate.
  2. Once it returns successfully, look in the ARP table to find the MAC address of said device.
  3. Log onto the switch itself and look through the MAC address table for the address found in step 2. (The MAC address table can also be called a CAM table). The MAC address table provides a mapping of MAC addresses to switch ports.

Source and Destination on different VLANs

  1. From the core router or suspected default gateway, issue a ping. Obviously, this works best if all routing is done on the same device.
  2. If there are multiple L3 interfaces, you might need to "walk" through the network going from L3 interface to L3 interface performing the ping / ARP check until you find the one that serves as the default gateway for the device you are searching for.
  3. Once you find it, you can then log into the switch and search the MAC address table to find the port.

Solution 3:

Check the ARP cache on your switch(es) to find the MAC and Switch Port associated with that IP of the device. This articles should help you:

  • http://www.petri.co.il/csc_arp_cache.htm
  • http://ccnpsecurity.blogspot.com/2011/11/using-mac-address-table-and-arp-cache.html

Solution 4:

You didn't specify which operating systems you have available to you on the network, but most of them have an arp command. You can use the arp command to find out what the MAC address is of a host with a give hostname (assuming you are on the same network as the host).

Then you have to check in the ARP caches of your switches to find what port that MAC address is on.