Selva Sharing

                In a large enterprise environment, determining where a device is connected to the network can be a daunting task, especially when managing and troubleshooting problems from a remote location. However, with the help of a few protocols and an understanding of the switching hardware, locating a network device can be a relatively simple task. The mac address table and ARP cache are two tables that will help a network administrator locate a network element with ease. To begin, lets define what each of these tables are and what information they hold.

A MAC address is a 48 bit address in hexidecimal format the uniquely identifies a node on an Ethernet network. This address is used to send and received Ethernet frames on the particular network. In general, the MAC address is used for unicasting data streams at layer 2.

This table is located on a layer 2/3 switch and holds a mapping of mac addresses to ports on the switch. Depending on the type of port and what is plugged into it there could be one, or many MAC addresses bound to the interface. Typically, when dealing with a standard access port one or two MAC addresses depending on the type of environment. This table is used to help the switch deliver unicast data streams to the specific port bound to the particular MAC address. This behavior eases bandwidth utilization and frame processing on the Ethernet network. On a Cisco switch, a MAC address table would look like this:

ARP stands for address resolution protocol. When a network device needs to deliver an IP packet to the next hop or end station it must encapsulate the packet in an Ethernet frame. The frame must contain a destination address. This destination address is determined by inspecting the ARP cache table. If the table does not have an entry the switch or node will issue an ARP request and wait for a response from the next hop or end station. For more information on ARP, refer to RFC 826.

As stated above, this table holds IP to MAC address mappings and is located on a device that routes or switches IP packets. On a Cisco switch or router, the ARP cache table looks like this:

Notice the timers associated with each table. For the MAC address table, entries are valid for 5 minutes are Cisco devices. For the ARP cache, entries are valid for 4 hours. The timer difference here can cause known issues with packet flooding across large switched layer 2 networks. For information on tuning these timers search CCO for "ARP or CAM Table Issues Troubleshooting".

Now that we understand what the MAC address table and the ARP cache is we can begin to see how to use both tables to locate a station on a large network. To begin, assuming the IP address of the end station has been identified, connect to the local gateway serving the Ethernet. Issue the show ip arp A.B.C.D and locate the MAC address. If there is not an entry, issue a ping from the local gateway to that address and look again. After locating the MAC address, being tracing the switched path from the gateway to the station by connecting to each layer 2 switch along the path, issuing the show mac-address-table address <MAC ADDRESS> command and locating the next interface bound to the address. Eventually, the edge switch will be located and the MAC address will be bound to an access port serving the station