Discovering a Cisco Network with CDP (Part 2)

Posted on April 30, 2012 by

Part one of this two part series talked about walking out your network with CDP. This is useful when all you need to know is the topology of the network equipment its self. The next step in the process is to map out where servers or other hosts are located.

The first way of doing this would be to log onto the host, capture packets, and look for a CDP packet that indicates the switch name and port that the host is connected to. This would require packet capture software on each system and is really not practical.

The second would be to perform a L2 trace route from a cisco device. You will need two MAC addresses in order to use this utility. The syntax for the layer 2 trace route command is as follows:

traceroute mac <source mac> <destination mac>

First you will need a source mac address. I would choose the mac of the default gateway for the VLAN you would like to map out. It’s really up to you but you will want to know the physical topology that you gathered in part 1 of this tutorial as well as where this source MAC address is connected to the network. You can get this information by doing a “show interface” for the VLAN or physical interface that is configured as your default gateway.

Next, you will want the MAC address of a host you would like to locate. You can get this address a number of different ways. If you’re not sure how to find a mac address of a host I always look at the ARP table of the default gateway. You will need to know the host’s IP address to do this. If the default gateway is a cisco device you can issue a command like this:

sw-01#show arp | include 
sw-01#show arp | include 10.70.10.27
Internet  10.70.10.27              0   0015.1234.ABCD  ARPA   Vlan10

This command shows the MAC to IP address relationship as well as the VLAN the host is on.

There are many other ways to find the MAC address of a device but that discussion is outside the scope of this tutorial.

Now that you have a source and destination address you can issue the L2 trace route.

sw-01#traceroute mac 001F.1234.3214 0015.1234.ABCD
Source 001F.1234.3214 found on sw-01
1 sw-01 (10.76.1.32) : Gi1/0/1 => Gi2/1/1
2 sw-02 (10.76.1.33) : Gi0/49 => Gi0/18
Destination 0015.1234.ABCD  found on sw-02
Layer 2 trace completed

There are a few different things you will see in the output. First, the source MAC address is listed. This is the switch that the MAC address was initially learned by and is connected to. You will then see a list of switch hops that host would take in order to reach the host with the destination MAC address. Each switch in the list also has the interfaces shown that are used to connect to the destination device ultimately giving you a trace route type picture of how data is flowing through the network. This can be extremely useful particularly since the physical interfaces used in the transmission are shown. Finally, the destination MAC address is listed along with the switch it is attached to and the user is notified the trace is complete.

This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.