Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Finding Physical Location of Rogue Device

Status
Not open for further replies.

life036

IS-IT--Management
Mar 29, 2005
25
US
Hello,

There is a device on my network somewhere that is using an IP address that it is not supposed to, and I'd very much like to track it down. Problem is, I've got 6 48 port cisco switches sprawled out here all connected by fiber to a central core.

Anyone have any ideas how I can track down the physical location, or even the machine name of this thing?

Thanks,
Chris
 
This is answered in the cisco forum but here are the steps.

Do an nbtstat -a 111.222.111.222
of the rogue device.
That will give you the mac address, workgroup and computer name.

Get a console on the device that is the default router for the rogue device.

run this command.
show mac-address-table | inc aabb
(where aabb is the last 4 digits of the mac address)

This will tell you on which interface the switch/router sees the rogue device. Determine if the rogue is directly connected to the switch or connected to a downstream switch. You can use CDP "sh cdp neighbors" or "sh cdp n detail" to determine the name/ip of the downstream switch.
Go the downstream switch and run
show mac-address-table | inc aabb

you can paste something like this from notepad to speed the process

password
en
enablepassword
show mac-address-table | inc aabb

If you know the layout of your network, this process can be quite quick. Or, if you have the connections documented in the interface descriptions that also helps.
 
Thanks for the advice! I'll follow these instructions and let you know what I come up with.

Chris
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top