ARP Ping first pings an IP address on your LAN with a broadcast MAC address in the ARP packet. If an ARP response packet is received from the device, it continues to ping using the unicast ARP packet (by unicast we mean the target MAC address came from the first response to our broadcast). It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected.
Ping Ip For Mac Address
As a Network Administrator/Engineer you may be asked to find MAC addresses and/or IP Addresses, hopefully this can make your job a little bit easier. These commands work on most Cisco Switches and Routers but sometimes the commands can vary from device to device.
5 Steps total
Step 1: Connect to your Cisco Devices
Ping Mac Address Cmd
Connect to the Switch/Router by using a console cable or a terminal emulator like Putty or Secure CRT. If you are successful it should look something like this.
Ping Mac Address Windows
Step 2: Find The MAC Addresses
On the layer 2 device (switch) enter the username and password if needed. Next enter 'enable' mode on the switch by typing enable. Next type the command 'show mac address-table'. If successful it should look like the picture. It's worth noting that on some Cisco devices the command 'show mac-address-table' also works.
Step 3: Find the IP Address
On the layer 3 device ( L3 switch or router) in my case I am using a router, enter the username and password if needed. Next enter 'enable' mode on the router by typing enable. Next type 'show ip arp' if done correctly you should get an output similar to the picture.
Step 4: Filtering the results on a Router
In the example I have provided there were only 9 IP addresses. However in the real world there could be dozens or even hundreds of IP addresses. To help filter the results on a router type 'show ip arp ?' You will see gigabitethernet' as an option this will let you filter results by interface or sub-interfaces. In my exmaple it typed 'sho ip arp gigabitEthernet 0/0.10' and that listed all IP's on my sub-interface.
Step 5: Filtering the results on a Layer 3 Switch
As stated in Step 4, you will likely have more than 9 IP Addresses. This can be made worse in a messy closet with a 48 port switch running the closet and maybe even some layer 2 switches under that. Luckily in addition to being able to filter by interface you can also filter by VLAN. So type in 'show ip arp ?' and you will see 'vlan' as a listed filter. As you can see I typed in 'sho ip arp vlan 20' and it listed only those IP's in vlan 20. In this case it was the vlan interface and a PC.
I hope this guide was helpful for you. If you aren't sure about something or feel like I missed a step, please let me know.
9 Comments
Ping Mac Address Command
- AnaheimGDBJNC Apr 27, 2018 at 01:15pm
Great post.
Another way to find that information is to first PING the address of the system you are looking for. Then issue:
show arp | i .This will then show you the MAC address associated with the IP address.
Then issue:
show mac address-table | iThis will give you the port that the device is currently connected.
- CayenneJim6795 Apr 27, 2018 at 01:15pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
- DatilCrimsonKidA Apr 27, 2018 at 02:04pm
Good stuff, thanks for posting this! My go-to Cisco command is: show ip interface brief (show ip int bri). Another thing I've learned that is very helpful (I'm still a noob with Cisco stuff) is tab-completion and using a '?' after the start of a command, such as 'show ?'
- CayenneEd Rubin Apr 27, 2018 at 03:09pm
Unfortunately dumping the mac table and working through it is the only way to reliably find stuff and identify its switch port. I've done a similar process with HP switches. One thing that helps a lot is an ip scanner application that does MAC vendor ID lookups for you. This can help with jim6795's problem of identifying an undocumented switch IP since you can look for the the switch maker's vendor ID and then try ssh or telnet, or http/https depending on the product.
- JalapenoTS79 Apr 27, 2018 at 06:53pm
Spiceworks has the ability to harvest this information using SNMP and will create a map showing which device is on which switchport. It must have the correct MIB installed for your switch and you must configure SNMP. The feature could use some more work but basic components are there.
- JalapenoSadTech0 Apr 27, 2018 at 08:06pm
Thanks for posting this *after* I finished a 'What's Connected Where' jihad on our network. :^D After beating Google to death over it, hoping for some useful tool, I ended up using exactly the same process (plus the online MAC address lookup to ID the device manufacturer), so I can affirm this works perfectly, if you work it.
As you can see, the 'sh arp' or 'sh ip arp' commands also give you the MAC addresses, so essentially the 'sh mac add' is only to get the port in which the device is connected. It helps to Ping the subnet's broadcast address (e.g. '10.1.1.255') to load the ARP table. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp | i 0/24' will show just the MAC address(es) on that port.)
The amazing thing to me is, this far into the 21st Century, this is still the only way I could find to get this information -- i.e. to find out what's connected where. Did I mention it's a *lot* of work?
(ETA: What if you can't get to the Console port? How do you get the IP address of the switch in order to SSH or (if you must) Telnet in?)
Couldn't you just use CDP? #show cdp nei detail will show you the ip of the connected devices.
- Thai PepperTaylorC Apr 27, 2018 at 08:45pm
Hey everyone thanks for the great feed back, it's really cool having this featured. @SadTech0 if you cant to the console port and you don't know the IP Address you could use a tool like angry IP scanner and find the switch that way. CDP may or may not work depending on your network configuration and/or topology. Barring some major obstruction you should try to console in get the ip and start an inventory. Hope that helps.
- Thai PepperTodd_in_Nashville Apr 30, 2018 at 12:34pm
Keep in mind, in some security minded environments, CDP may be disable if it's not needed. It's one of those things that give out unnecessary reconnaissance info to the bad guys. If one of your edge routers gets compromised, it can be used to start footprinting your internal network.
- Thai PepperJohn3367 Apr 30, 2018 at 08:51pm
Great info..
Another helpful thing you should add!
SHOW INVENTORY ---> To show the SERIAL number of the Cisco device you are on.
**I always use those commands you show to troublshoot. They are very helpful. I usually PING an IP address. then I type a 'show arp' and get its MAC address.. then I will type 'show mac-address table' which will show me which PORT the device is connected to!