Depends on the switch and router. My answer assumes a Cisco environment (router and switch) If you know the IP you would also know what the default gateway is. Go to that gateway and run:
show arp which will show you the matching MAC address for the IP.
Take that MAC address and go to the switch that is listed from the show arp that matches the MAC & IP. On that switch run:
show mac-address table address 00:00:DE:AD:BE:EF This will tell you what port the host is on. Map it to the patch panel and its a wrap. Almost all routers and switches will map the ARP to IP so depending on the topology, the syntax may differ.
Your organization could benefit by diagramming your network out. How things interconnect, etc., there are plenty if low cost and free tools to do so e.g.:
http://www.manageengine.com/products/oputils/switch-port-mapper.html#switch-port-mapper it will save time and future headaches. I have some monstrous based scripting using expect and shell scripts with SIEM appliances to do pre and post-response analysis.
One thing you would always want to keep in mind is taking a methodical approach to analyzing what is going on. Always treat everything as a real world case. Anything you do may taint potential evidence so make sure you have a checklist and follow that check list to ensure you cover all angles. I would google terms like +CERT +incident response +guidelines and anything along those terms to get a concise idea of what to do and how to do it before you end up potentially corrupting evidence, etc.
General Certification : CPT Practical Submission
