Jan
12
2011

How to trace MAC address

Traceroute is a tool for measuring the route path and transit times of packets across an Internet Protocol (IP) network.

Traceroute sends a sequence of Internet Control Message Protocol (ICMP) packets addressed to a destination host. Tracing the intermediate routers traversed involves control of the time-to-live (TTL) Internet Protocol parameter. Routers decrement this parameter and discard a packet when the TTL value has reached zero, returning an ICMP error message (ICMP Time Exceeded) to the sender.

In a Data Center, it is often required to find a host and the layer2 path. To do it, Cisco has implemented a good tool: traceroute mac.

The traceroute mac command output shows the Layer2 path when the specified source and destination addresses belong to the same VLAN. If you specify source and destination addresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.

See you the example to understand how this feature works. Suppose to have two host (192.168.0.4, 192.168.0.6) and you would find the layer2 path using the Ciscozine-SW1 Switch.

How-to-trace-a-MAC-address

 

Below the MAC address table and the ARP table of the Ciscozine-SW1 switch:

Ciscozine-SW1#sh mac-address-table dynamic
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1    000e.d7e3.0880    DYNAMIC     Fa0/1
1    000e.d7e3.0881    DYNAMIC     Fa0/1
1    0014.a968.f0b1    DYNAMIC     Fa0/48
1    0019.9955.0f60    DYNAMIC     Fa0/21
1    0026.22eb.3bef    DYNAMIC     Fa0/1
1    00a0.6011.aa0b    DYNAMIC     Fa0/1
Total Mac Addresses for this criterion: 6
Ciscozine-SW1#
Ciscozine-SW1#sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1            65   0014.a968.f0b1  ARPA   Vlan1
Internet  192.168.0.4             0   00a0.6011.aa0b  ARPA   Vlan1
Internet  192.168.0.5             1   0026.22eb.3bef  ARPA   Vlan1
Internet  192.168.0.6             1   0019.9955.0f60  ARPA   Vlan1
Internet  192.168.0.253           -   000e.d7d0.cd80  ARPA   Vlan1
Internet  192.168.0.254          69   000e.d7e3.0880  ARPA   Vlan1
Ciscozine-SW1#

 

You have two options to find the path between two hosts:

  1. Trace using the MAC address
  2. Trace using the IP address

In the first case, use the command ‘traceroute mac 0019.9955.0f60 00a0.6011.aa0b’

Ciscozine-SW1#traceroute mac 0019.9955.0f60 00a0.6011.aa0b
Source 0019.9955.0f60 found on Ciscozine-SW1
1 Ciscozine-SW1 (192.168.0.253) : Fa0/21 => Fa0/1
2 Ciscozine-SW2 (192.168.0.254) : Fa0/1 => Fa0/27
Destination 00a0.6011.aa0b found on Ciscozine-SW2
Layer 2 trace completed
Ciscozine-SW1#

In the second case, use the command ‘traceroute mac ip 192.168.0.4 192.168.0.6′

Ciscozine-SW1#traceroute mac ip 192.168.0.4 192.168.0.6
Translating IP to mac .....
192.168.0.4 => 00a0.6011.aa0b
192.168.0.6 => 0019.9955.0f60

Source 00a0.6011.aa0b found on Ciscozine-SW2
1 Ciscozine-SW2 (192.168.0.254) : Fa0/27 => Fa0/1
2 Ciscozine-SW1 (192.168.0.253) : Fa0/1 => Fa0/21
Destination 0019.9955.0f60 found on Ciscozine-SW1
Layer 2 trace completed
Ciscozine-SW1#

… and to have more detail about the trace use the ‘detail’ option:

Ciscozine-SW1#traceroute mac ip 192.168.0.4 192.168.0.6 detail
Translating IP to mac .....
192.168.0.4 => 00a0.6011.aa0b
192.168.0.6 => 0019.9955.0f60

Source not directly connected, tracing source .....
Source 00a0.6011.aa0b found on Ciscozine-SW2[WS-C3550-48] (192.168.0.254)
1 Ciscozine-SW2 / WS-C3550-48 / 192.168.0.254 :
Fa0/27 [auto, auto] => Fa0/1 [auto, auto]
2 Ciscozine-SW1 / WS-C3550-48 / 192.168.0.253 :
Fa0/1 [auto, auto] => Fa0/21 [auto, auto]
Destination 0019.9955.0f60 found on Ciscozine-SW1[WS-C3550-48] (192.168.0.253)
Layer 2 trace completed.
Ciscozine-SW1#

Below the video with the example:

Remember:

  • For Layer 2 traceroute to function properly, Cisco Discovery Protocol (CDP) must be enabled on all the switches in the network. Do not disable CDP.
  • When the switch detects a device in the Layer 2 path that does not support Layer 2 traceroute, the switch continues to send Layer 2 trace queries and lets them time out.
  • The maximum number of hops identified in the path is ten.
  • Layer 2 traceroute supports only unicast traffic.
  • The traceroute mac command output shows the Layer 2 path when the specified source and destination addresses belong to the same VLAN.
  • The Layer 2 traceroute feature is not supported when multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port).
  • This feature is not supported in Token Ring VLANs.
  • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses are in the same subnet. When you specify the IP addresses, the switch uses Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs.
    • If an ARP entry exists for the specified IP address, the switch uses the associated MAC address and identifies the physical path.
    • If an ARP entry does not exist, the switch sends an ARP query and tries to resolve the IP address. The IP addresses must be in the same subnet. If the IP address is not resolved, the path is not identified, and an error message appears.

References:

  • Charlie B

    Ufff this makes me very happy , no more copy/paste in sh mac-add | incl

  • someone

    Thanks dude, pretty helpful ^_^

  • bizkitshow

    thank u very very much :)

  • tranzitwww

    Thank you very much for this tutorial,

    I didn’t know about this, so I’ve made a script to automatically trace the switches for me…
    http://forum.gns3.net/topic3932.html?hilit=tracemac&sid=6427a209fdbe3d8c390e042b2cdcc74f

  • aleph

    Warning: CDP can be used by a malicious user for reconnaissance and network mapping..

    Only enable CDP for troubleshooting, disable it at all other times !!

  • http://www.linkedin.com/in/fabiosemperboni Fabio Semperboni

    In my opinion, the answer is ‘it depends’ by the network type you must manage/implement. For instance, in trusted access switches I prefer enable it, while in untrusted access switches (in guest environment) I prefer disable it.
    Obviously in a critical network CDP must be disabled.

  • tranzitwww

    Aleph, you are right it is a security risk, but CDP can be well configured and is recommended (be me :) to run only on trunks links between the switches and disabled on the rest of the switch ports.

    Also use a different vlan number for switch management, enable port-security, etc…

    In this way end users are what they always should be “just users doing their normal business”

  • dakitas

    i have used traceroute mac 0000.0000.000a 0000.0000.000a and cdp shows me 1 record “SW1 (ip address) : interface”, obviously the mac address is a duplicate and therefore in the same vlan

    would someone know how “traceroute mac” can find ALL mac address locations? for ALL devices on the network for example on a core switch ie. where every mac address is located on the network in a printable table format? individual requests are nice, however i would like to identify ALL devices using the “traceroute mac” format to find ALL the locations of EVERY mac address becuase port-security is basically an outdated and useless means of network security and extremely painful to work with daily given PC plus a VoIP phone require a maximum of 3 mac addresses per interface

  • shafi

    It was good information for me.
    regards

    shafi

  • Putra

    Hi Fabio,
    I just want to point out that I think you’ve mistakenly swapped the port number of SW1 and SW2 in the picture.
    Judging from CLI output, SW1 uses Fa0/21 and SW2 uses Fa0/27 for access port to the PC. But it’s the other way around on the picture.

  • http://www.facebook.com/fabio.semperboni Fabio Semperboni

    Yes, you are right! Thanks

  • nigussie

    when i use the traceroute mac ip ‘sourcip’ ‘destn ip’ detail command,it says invalid source/destination ip address.i have checked that i could ping both ip addresses on the switch and CDP is also inabled.in addition,both source and destinataion hosts are in the same vlan number