Presentation
The ability to know when new devices are added to your network, inventory those devices, and locate them is one of the best controls to implement for network security. This guide will go through the process of how I locate unknown and newly discovered devices on my network.
Prerequisites
You will need to have access to managed switches to locate devices that you discover on your network. You will also need a way to actively scan your network. The best free way to scan your network is with nmap but this can be time consuming. I prefer to go with an active network scanner such as Nessus and/or a passive network scanner like Nessus Network Monitor.
Nessus Scanning
If your company has funds for security products I highly suggest purchasing Tenables Nessus products for both passive and active scanning. Please refer to Tenables website to setup these scanners.
Physically Locating Devices
When I find devices on my network that are not in inventory or are discovered as new devices with passive scanners, I like to go directly to my core switches and search for MAC addresses. Nessus Network Monitor is excellent at giving you the MAC address of newly discovered devices. On my core switch I use the below commands.
CoreSW# show mac address-table address 6c:62:xx:xx:xx:xx
Vlan Mac Address Type Ports
---- ----------- -------- -----
100 6c:62:xx:xx:xx:xx DYNAMIC Te1/1/2
Total Mac Addresses for this criterion: 1
From this information you can then locate the port by executing the below command.
CoreSW# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Stack.xxxxxxxx.com
Ten 1/1/2 165 R S I WS-C3850- Ten 1/0/8
From this information you would then go to the device that is listed as being connected to our CoreSW on Te1/1/2 which is the Stack.xxxxxx.com device. Repeat these steps until you have a specific port that the devices is connected to.
Once the end device is found you can locate it by shutting down the port and finding the device that is no longer connected or by tracing our the cable.