Back to Basics: Network Tracing
Mathew Lastra | Senior Systems Architect
Network tracing can act as an extremely useful tool within any networking admin’s toolset. Network tracing is a basic task of using a router’s or switch’s CAM (MAC) table and ARP tables to trace the origin of an IP address or MAC address throughout a network. This methodology is vendor agnostic, but in this example we will be focusing on Cisco devices.
This can be used whenever you are looking to verify a port for a computer or server, and it can be used to find routers, hubs, or smart switch clients. It is specifically useful when troubleshooting.
How to perform a trace
To perform a trace, you will utilize the following commands:
Show mac address-table OR show mac-address-table
This command will show the internal MAC address-table of the switch or router that you are on. This will give you the MAC and the origin port it was received on (that port is import).
Show arp OR show ip arp
This is used to match up the IP address to the MAC address. This is most useful on a core switch or router.
Show cdp neighbors OR Show cdp neighbors detail OR Show lldp neighbors
This command is used for tracing what the switch IP address of the next hop to the destination IP is. If CDP is disabled, you can use Show arp to ID the known switch IP and trace it via its MAC address using the above commands.
The goal is to trace the path to client 1 and 2 using the CAM and ARP tables.
- First, we will have to start with some information, such as either the MAC address or the IP address. In most cases, you will be given an IP address and you will have to locate where it is on the network.
- Second, you always want to start at the gateway for the given information so if you know which device has the gateway you can start there.
- If you are given a MAC address and don’t know the gateway (this could happen if you are locked out of the device), then you are going to start with the device that contains the most gateways and work down from there to trace or pair the MAC address.
A basic trace
Let’s say we are looking for client 2 in the above diagram and we know that its IP address is 10.10.101.12. Here are the steps for a basic trace to locate it.
1. Login to the core to see if the gateway is on there.
a. If we run the command sh ip int br | b Vlan we can locate that this is the gateway or within the subnet of the client.
2. We next need to use the IP that was provided to identify the MAC address of the device. Doing this will allow us to trace the MAC-address origin within the layer 2 network. To do this, we will need to look into the ARP table to find the MAC association.
a. We can use the command: sh ip arp | i 10.10.101.12
Note: If the ARP entry is not within the table, attempt to ping the device to kick off its discovery and repopulation of the ARP and MAC tables.
3. We will next need to look into the MAC address-table in order to identify the origin port of the MAC address.
a. We can run the following command: show mac-address-table | i 6801
Note: This command will vary from IOS version to version.
4. We will next look to identify the switch that is connected via fa1/0.
a. The most common method is to use cdp or lldp commands to Identify the next hop switch.
b. We will run the following command: sh cdp neighbors OR sh cdp neighbors detail (to get the switch IP address).
Note: The above outlines the local port which matches our MAC address and the port at the other end, or “Port ID,” and in this case they happen to be the same port.
Next we will login to the downstream switch located on interface fa1/0.
5. Now that we have the MAC address and the IP address, we only need to repeat this process until we arrive at the origin of the MAC address.
a. We are looking for a MAC address that ends in 6801.
6. We will now look into access_switch_3 and repeat the process.
Note: In this image we can see there is only one MAC address leaving this port which means it is where our workstation is plugged into.
If this port is configured/designated for workstations but has multiple MAC addresses coming from it (greater than two MAC addresses to accommodate for phones), this could indicate that there is a smart-switch or hub connected on the far end and should be removed as a best practice.