Logging MAC addresses

August 17, 2008 at 11:44 am | Posted in IOS services | 4 Comments

Lab 11 Task 1.6.

  • A recent security breach which involved the compromising of the company’s future business plans was tracked down to a notebook computer that was located in VLAN 28 with a MAC address of 0001.02ac.9ab2. After checking the MAC address tables of SW1 and SW2 you have determined that the notebook computer is not currently plugged into the network.
  • In order to help track down this device in the future configure SW2 to notify the network management station at 187.X.3.100 whenever a new MAC address is learned in VLAN 28.
  • The network management server will be expecting community-string to be CISCOTRAP.

Solution
SW2:
interface FastEthernet0/24
snmp trap mac-notification added
!
snmp-server enable traps MAC-Notification
snmp-server host 187.1.3.100 CISCOTRAP MAC-Notification
mac-address-table notification

Task 1.6 Breakdown
To enable SNMP trapping when a MAC address is added or removed from the CAM table, issue the global configuration commands mac-address-table notification and snmp-server enable traps MAC-Notification. Then, these traps are selectively enabled on a per-interface basis by issuing the snmp trap mac-notifications interface level command. These traps are then forwarded to an NMS station located at 187.1.3.100 using the community string CISCOTRAP.

Task 1.6 Verification

Verify SNMP MAC Address logging configuration:
Rack1SW2#clear mac-address-table dynamic interface fa0/24
Rack1SW2#show mac-address-table notification
MAC Notification Feature is Enabled on the switch
Interval between Notification Traps : 1 secs
Number of MAC Addresses Added : 1
Number of MAC Addresses Removed : 0
Number of Notifications sent to NMS : 1
Maximum Number of entries configured in History Table : 1
Current History Table Length : 1
MAC Notification Traps are Enabled
History Table contents
———————-
History Index 0, Entry Timestamp 348747, Despatch Timestamp 348747
MAC Changed Message :
Operation: Added Vlan: 28 MAC Addr: 0060.7015.ac7a Dot1dBasePort: 24

Advertisements

4 Comments »

RSS feed for comments on this post. TrackBack URI

  1. How the snmp traps, like this MAC Notification, can be able to log into SNMP server? Any recommendation what SNMP tool can be used to log MAC address? I’m using Zenoss and it can receive MAC notification traps but it doesn’t log MAC addresses. I’ve experienced this type of situation where a laptop connects into our switch which got compromised. And it’s difficult to track it if the laptop is no longer connected. If I can only log MAC address and the switch port it connects then tracing a machine would not be that difficult. Thanks for your help.

  2. Hi,

    What the router logs to the SNMP management station via SNMP traps should not depend on what SNMP tool you use. Please check your router configuration, and make sure that you do not miss any commands (as shown in the example).

    “show mac-address-table notification” should show what MAC addresses the router log to SNMP management station, in the above example, it is

    MAC Changed Message :
    Operation: Added Vlan: 28 MAC Addr: 0060.7015.ac7a Dot1dBasePort: 24

    Please look at the switch (C3560) command reference for further details:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/command/reference/cli1.html#wp2002989

  3. i did all configuration mentioned above but couldn’t get mac addresses snmp traps. i use kiwi syslog and it receives some traps but i can’t read what mac addresses added or deleted. i mean messages are too complex. you can see it from the link:

    when we write on cisco switch the command “show mac-address-table notification, it displays a “Operation: Added Vlan: 28 MAC Addr: 0060.7015.ac7a Dot1dBasePort: 24” something like that and what i want is to see this notification in my Kiwi or another software you suggest that can receive traps readable way.

  4. is there a software for this or what else can i do?
    thank you


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: