Finding Physical Location of Rogue Device

[life036]

Hello,

There is a device on my network somewhere that is using an IP address that it is not supposed to, and I'd very much like to track it down. Problem is, I've got 6 48 port cisco switches sprawled out here all connected by fiber to a central core.

Anyone have any ideas how I can track down the physical location, or even the machine name of this thing?

Thanks,
Chris

 

[jdeisenm]

This is answered in the cisco forum but here are the steps.

Do an nbtstat -a 111.222.111.222
of the rogue device.
That will give you the mac address, workgroup and computer name.

Get a console on the device that is the default router for the rogue device.

run this command.
show mac-address-table | inc aabb
(where aabb is the last 4 digits of the mac address)

This will tell you on which interface the switch/router sees the rogue device. Determine if the rogue is directly connected to the switch or connected to a downstream switch. You can use CDP "sh cdp neighbors" or "sh cdp n detail" to determine the name/ip of the downstream switch.
Go the downstream switch and run
show mac-address-table | inc aabb

you can paste something like this from notepad to speed the process

password
en
enablepassword
show mac-address-table | inc aabb

If you know the layout of your network, this process can be quite quick. Or, if you have the connections documented in the interface descriptions that also helps.

 

[life036]

Thanks for the advice! I'll follow these instructions and let you know what I come up with.

Chris