Problem
Tracking down a specific host on your network through its MAC address.
tl;dr
Run this command on your central node (i.e. core router), and if required, on any relevant downstream devices (i.e. switches):
show mac address-table | include aa11.bb22.cc33
Where aa11.bb22.cc33 is the required MAC address.
Solution
Sometimes, you may have a need to isolate a specific host through its MAC. You may suddenly find your network flooded with packets originating from a single host. Or perhaps, an office PC may have gotten hacked and is attempting to hack other PCs on the same network while spoofing its IP. Your core router will keep a database of all MAC addresses on the network, whether they are connected to a switch, or directly to the router. Run the following command:
Router1> show mac address-table | include aa11.bb22.cc33
This command will show you which port the MAC address is connected to. If this port is connected directly to the host, congratulations, you've found it. If it's connected to a switch, you need to run the same command on the switch:
Switch5> show mac address-table | include aa11.bb22.cc33
Note that you are not making any configuration changes, so you do not need access to enable mode.
Sample output
Router1> show mac address-table | include 001e.6764.7e21
Router1>show mac address-table | include 001e.6764.7e21
885 001e.6764.7e21 DYNAMIC Po5
Router shows the MAC address's host is located through Port 5. There is a switch connected to port 5, so we run the command on the switch:
Switch5> show mac address-table | include 001e.6764.7e21
Switch5>show mac address-table | include 001e.6764.7e21
885 001e.6764.7e21 DYNAMIC Fa0/40
This shows the MAC address 001e.6764.7e20 is connected to FastEthernet port 40. Congratulations, you have now found the offending host computer!