How to find an IP address of a device connected to a Switch port?

As IT professionals, we have come across this problem at least once in our careers specially if you are a Network Engineer or Administrator. You need to find an IP address of a certain device connected to a physical port of a switch on the network. But you don't have any information about that host.

Well, not really! You can easily find out the MAC address of the host from the forwarding ARP or CAM table on the switch and the physical port through which this MAC address was learned. However, how do you find an IP address of the host (or one of the NICs on that host) to whom this MAC belongs? Switches don't know anything about IPs. They are layer 2 devices.

No, PING -a 255.255.255.255 or other subnet broadcast addresses won't work.

I have come across such a problem several times and this time I decided I would put this procedure on my blog so next time there is a place I can find these instructions or anyone else who is interested can also look it up here. After all such situations don't arise very everyday.

So I thought there has to be a tool or command that would give me the IP address of the device connected to a port. At the time, I was working with Cisco 3750 and Windows 2003. I searched all over the web only to find out that there is no tool or command that could help me with this problem.

Of course, if you know the IP it is very easy to find the MAC but not as easy the other way around.

After scratching my head for several minutes I realized that IP to MAC entries are stored in ARP cache when 2 hosts communicate with each other and I already have the MAC address of the host that was connected to the port on the switch from CAM table. So why don't I log into one of the machines that I know the IP address of and sweep the segment (or VLAN) using an ICMP sweeper. This will build up IP to MAC mappings in the ARP cache on the host I remotely connected to. Then all I have to do is simply find the MAC from the switch's forwarding CAM table and compare it against ARP cache entries. Bingo! there was the IP address of the host connected to the switch port.

Don't worry. I am going to explain the whole process step by step and how I came to use this useful trick to solve my problem. While in my example I am using Windows 2003 and Cisco 3750 Catalyst Switch, this procedure should work with any OS and switch vendor assuming you know the necessary commands and functions to achieve the results.

Here is what you will need: Windows 20003, Cisco Switch, ICMP (PING) Sweeper program

1) Run the following command on the switch to which the host is connected: sh mac address-table

2) Find the interface or physical port (i.e. FastEthernet 1/0/34) and the corresponding MAC address that was learned via this interface.
Remember if there is NIC teaming or some sort of Load Balancing (Clustering) or VMware on the host then you may see multiple MAC addresses that were learned via this interface.

3 Connect to one of the hosts on the same VLAN or segment for which you know the IP and install a PING Sweeper program like Solarwinds PING Sweep from Engineer's Toolset suite of network tools.

4) Scan the whole segment (i.e. From 1.1.1.1 To 1.1.1.254 if netmask is /24). This will build the ARP cache on the host

5) Immediately display the arp cache in the console by running command such as, arp -a on Windows 2003 / XP.

6) Now find the MAC address from step 2 above and you should have the IP address listed.

There, you have it. You now know the IP address of the unknown device on your LAN.