I work at a University and people are always plugging computers in where they shouldn't be. It is not uncommon to see strange MAC addresses popping up on the network, along with IP addresses and not know where the machine is. It has been possible to manually log into the switches and view the ARP tables, looking for it, but we have almost 20 switches so that can take a while.
The solution was to come up with some sort of script. Originally I began working at it in perl, trying to hack Alex Dawson's hunt machine perl script into working for me.
It didn't like me... Or our network... Or our switches.
By now I was beginning to hate SNMP back and had decided that if I was going to do anything it should be web based. Luckily, I discovered php has a SNMP module, so I recompiled php with that enabled and started to poke at things.
One thing I learnt early on is its not as simple as I had hoped. We have multiple vlans, so switches would need to be queried multiple times for each vlan. You need to do a whole pile of ugly matching to match internal ports with external interfaces and I still can't get my head around the SNMP numbers. However, after working on it on and off for a week or so it finally began to work.
And so here it is:
This works fine for us across our multiple VLANs on a mix of Cisco 2950s and 3750s. If you have other systems you may need to change to OID strings. I'll leave this to you as an excercise. It is also not the fastest, it takes about two minutes to query all of our switches, but it does work.
You can submit a MAC address, an IP address or a hostname, although if the machine can't determine the MAC address, it can't run its queries. (ie, if the machine has disappeared off the network, you're on your own).
Incidently, in case anyone is wondering. No we do not allow random machines to be plugged into our network, but that does not stop people (staff and students alike) from trying. Most of them are stopped by our other security measures, but they won't tell us where the offending machine is.