Rogue computer on network (again)

Ok, I have the MAC address of a rogue computer on the network. I went into my switch to find its physical location. This is what it said :

2980_21:       sh cam 00-0F-1F-16-D2-3A
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-0f-1f-16-d2-3a             3/33 [ALL]
Total Matching CAM Entries Displayed = 1

What does the 3/33 mean and how can I find the physical location of this port on my switch? (We have 3 switches here)

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


What switch hardware are you using? Is the switch modular? In that case it means port 33 in slot 3. Or are you using a stacked switch? Then it is port 33 in switch 3.

Regards Jimmy

dissolvedAuthor Commented:
Sorry for the dumb question. But what is a modular switch and what is a stacked switch?   We have l 2 switches for every floor. They are 2980g or 2948 switches.   I'm not sure which one he is plugged into..... (i'm a newb)
What I would do is a " show cdp neighbors" to make sure that that port isn't connected to another Cisco switch, or router, and if nothing showed up on the list as being connected to that port, I'd shut it down and wait for the inevitable call to come about the network being down in some ones office.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dissolvedAuthor Commented:
Switch 1 (1st floor)
-1st floor users plug into this switch

Switch  2 (2nd floor)
-2nd floor users plug into this switch

Switch  3 (3rd floor)
-3rd floor users plug into this switch

Core switch (basement)

Switch 1, 2, and 3 are all connected to the core switch (via fiber).  
The rogue PC is plugged into one of the switches. Which, I dont know

I did a sh cdp neighbors and it showed:
dhsscat2980_21 sh cdp neighbors
* - indicates vlan mismatch.
# - indicates duplex mismatch.
Port     Device-ID                       Port-ID                   Platform
-------- ------------------------------- ------------------------- ------------
 3/33    JAB0508074P(DPHCAT4000)         3/1                       WS-C4006

and when I do a sh cam  rogue_mac_address

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
22    00-0f-1f-16-d2-3a             3/33 [ALL]
Total Matching CAM Entries Displayed = 1

Why is it showing them on the same port?
This is how you trace it through mutiple switchs.

<starting switch>

6509> (enable) sh cam 00-E0-18-05-A9-9E
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry

VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type]
----  ------------------    -----  -------------------------------------------
1     00-e0-18-05-a9-9e             5/7 [ALL]
Total Matching CAM Entries Displayed = 1

<now I know it's on this port so I will check to see if it's connected to another switch>

6509> (enable) sh cdp neighbors 5/7 detail
Port (Our Port): 5/7
Device-ID: office
Device Addresses:
  IP Address:
Holdtime: 174 sec
  Cisco Internetwork Operating System Software
  IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE
  Copyright (c) 1986-1999 by cisco Systems, Inc.
  Compiled Fri 10-Dec-99 11:16 by cchang
Platform: cisco WS-C3548-XL
Port-ID (Port on Neighbors's Device): GigabitEthernet0/2
VTP Management Domain: Terra
Native VLAN: unknown
Duplex: full

<now you have the IP address of the next switch to check>

Just keep following this procedure until you get to the switch where there isn’t another switch on the end of the port and you have found them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dissolvedAuthor Commented:
Finally it makes sense. what was happening, is that I kept tracing the MAC back to the core switch.  I would stop there. But I decidedto go into the core switch and did the sh cam rogue_mac.  It directed me to the ACTUAL switch the user was on

I then telnetted to the actual switch and did a sh cam and it worked.

 I was running around in circles for hours.  Ironically, the rogue computer went offline 10 minutes before I figured out (with your help) to do all of this stuff. :sigh:

Thanks a lot though!  I'm definitely going to get them next time. Set an SNMP trap :)
Now you know what port they are on, you should be able to trace it down to the physical location that they are connecting to the network at. Hopefully your wiring is documented, or else you will have to physically trace the wire coming from that port to the jack, which in a large building can be a real hassle, but once you find that out, when they reappear, you can be standing behind them so fast they won’t have a clue as to how you found them so quickly. By the way, when you have a core switch, it’s the best place to start tracing someone down since everything is connected there.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.