When performing troubleshooting or maintenance tasks on an enterprise network, it is sometimes necessary to identify the MAC address of particular devices (hosts, other switches, other network devices) that are connected to the network.
On smaller networks, this is somewhat simple to achieve, however, on larger networks, it can become a challenge.
In this article, we’ll explore how this can be done on Cisco-based networks ranging from a single switch to a larger enterprise network with several switches.
On another article we have explained how to find an IP address from a MAC address, which is also a helpful skill to master as a network administrator.
The significance of the MAC address
In the vast world of networking, every device has a unique identity known as the Media Access Control (MAC) address.
This hardware address is hardwired into every Ethernet NIC (Network Interface Card) and is used to ensure that data packets reach the correct device.
Switches and MAC addresses
For network administrators managing Cisco switches, the ability to identify the MAC address of a device connected to a particular port can be invaluable.
Switches create what is known as a MAC address table which is a vital component of Layer 2 switching on Ethernet networks.
Sometimes called the CAM (Content Addressable Memory) table, due to the type of memory it uses to store its information, the MAC address table allows the switch to efficiently forward frames based on MAC addresses, ensuring that frames are delivered only to the intended recipient.
Purpose of the MAC address table
The primary purpose of the MAC address table is to maintain a mapping between MAC addresses and the corresponding switch ports where devices are connected.
This ensures that Ethernet frames are forwarded to the appropriate port, minimizing unnecessary network traffic and ensuring efficient use of bandwidth.
How is the MAC address table populated?
When a switch receives an Ethernet frame on one of its ports, it examines the source MAC address of that frame.
If the address is not already in the MAC address table, the switch adds an entry for that MAC address, associating it with the port on which the frame was received. This process is called dynamic learning.
Each entry in the MAC address table has an aging time. If the switch doesn’t detect a frame from a particular MAC address within that aging time, which by default on a Cisco switch is 300 seconds, or five minutes, it will remove that address from the table. This ensures that the table remains updated and doesn’t store stale or outdated entries.
It is also possible, although much less common, to statically assign a MAC address to a particular port in the MAC address table. This is called a static MAC address table entry, and such entries never expire.
Finding a device with a particular MAC (show mac address-table command)
There are times when you learn a particular MAC address of a device, and you want to find out to which switchport that device is connected.
You may learn the MAC address from various sources, such as from a DHCP server, from the operating system (such as Windows) of the host, or from a sticker or label on the device itself. Assuming you know that MAC address, you can then begin the search for the port on which that device is connected.
Simple topologies
For topologies with a single switch, this is relatively simple. Using the “show mac address-table” command, you can display the contents of the current MAC address table. A sample output can be shown here:
Switch# show mac address-table
Vlan Mac Address Type Ports
—- ———– ——– —–
10 00a1.b2c3.d4e5 DYNAMIC Fa0/1
20 00b2.c3d4.e5f6 STATIC Fa0/2
Here’s what each column represents:
- Vlan: If the corresponding port is an access port, then the VLAN ID number indicated here matches the configured VLAN on that port. If it is a trunk, then this column indicates the specific VLAN ID with which the MAC address is associated.
- Mac Address: The MAC address of the device connected to the port.
- Type: The type of MAC address entry, either static or dynamic.
- Ports: The specific port on which the mentioned MAC address has been detected
From this output, you can determine to which port a particular host with a specific MAC address is directly connected.
More complex topologies
What happens if you have multiple switches, and the host you’re looking for is not directly connected to the local switch? Take a look at this topology:
Let’s say that this is part of a larger enterprise topology with dozens of switches. We are given access to the CLI of SW1 and we are given the MAC address of PC1 by a technician sitting at the PC.
The MAC address is 00a1.b2c3.001, but we don’t know to which switch it is connected. In order to find out, we can use the show mac address-table command on SW1, and we may see something like this:
SW1# show mac address-table
Vlan Mac Address Type Ports
—- ———– ——– —–
5 00a1.b2c3.0001 DYNAMIC Gi0/1
6 00a1.b2c3.0002 DYNAMIC Gi0/1
7 00a1.b2c3.0003 DYNAMIC Gi0/1
5 00a1.b2c3.0004 DYNAMIC Gi0/2
6 00a1.b2c3.0005 DYNAMIC Gi0/3
7 00a1.b2c3.0006 DYNAMIC Gi0/4
We notice that the MAC address we’re looking for appears on Gi0/1. Looking at the topology, we see that this is a trunk port, and this is confirmed by the fact that we can see multiple MAC addresses corresponding to this single port.
This makes sense because all of the hosts on SW2 will have their frames enter SW1 via Gi0/1, and the MAC address table will be populated as they egress on that port.
Once we determine this, we can then go to SW2, which is connected to our trunk port of Gi0/1 and perform the same command.
We can keep doing this until we ultimately find the switch to which our PC1 is directly connected on an access port. In this case, if we issue the same command on SW2, we determine that it is indeed connected to an access port:
SW2# show mac address-table dynamic address 00a1.b2c3.0001
Vlan Mac Address Type Ports
—- ———– ——– —–
5 00a1.b2c3.0001 DYNAMIC Gi0/2
The above command with the extra keywords indicating the specific MAC address we’re looking for, displays only that address, and we can see that it is connected to Gi0/2. We can see, from further examination of the configuration, that it is an access port.
The Practical Importance of Finding a MAC
Determining to what port a particular MAC address is connected on a Cisco switch provides several advantages, some of which are listed below:
- Security and Network Policy Enforcement: MAC addresses can be used to implement security policies. For example, only devices with certain MAC addresses might be allowed on a particular VLAN or network segment.
- Troubleshooting: It aids in diagnosing connectivity or configuration issues. By knowing which device is connected where, network admins can better pinpoint issues and resolve them faster.
- Inventory and Asset Tracking: Network administrators can keep track of devices connected to the network, which is essential for larger organizations with many devices.
Vendor Identification Through OUI
There is one more important aspect of this procedure that can be helpful when identifying devices using their MAC addresses.
The MAC address isn’t just a random string of numbers and letters. The first three octets, or the first six hex digits, known as the Organizationally Unique Identifier (OUI), indicate the manufacturer of the device.
By looking up the OUI, one can determine the vendor of the device. This can be particularly helpful in environments where unknown devices are detected, or when there is a need to standardize equipment. Some examples of well-known OUIs include:
- Cisco Systems: 00-40-96, 00-1E-13, 00-1D-45, 00-1B-D5
- Hewlett-Packard (HP): 00-50-8B, 00-60-B0, 00-80-5F, 3C-D9-2B
- Apple Inc.: 00-03-93, 00-16-CB, 00-1A-63, 00-1F-F3
- Intel Corporation: 00-02-B3, 00-08-C7, 00-0E-0C, 00-1B-77
Conclusion
Locating a device’s MAC address on a Cisco switch port is a fundamental skill for network administrators. Whether you’re enforcing security measures, troubleshooting an issue, or tracking assets, understanding the show mac address-table command and its output is essential.