Menu
I have a quick question about logging new mac addresses in syslog. Scenario: We are running windows 2012 R2 for our DHCP servers. We have a SIEM product that gathers all logs from the servers and this allows us to correlate events. Anytime a DHCP address is handed out to a MAC that is not in our white-list, the security team gets an alert.
- Although Cisco switches dynamically build the MAC address table by using the source MAC address of the received frames, you can also manually add a MAC address to the switch’s MAC address table. The static MAC entries will be retained even after the switch is restarted. To configure a static MAC address, the following command is used: (config.
- It's worth noting that on some Cisco devices the command 'show mac-address-table' also works. Step 3: Find the IP Address. On the layer 3 device ( L3 switch or router) in my case I am using a router, enter the username and password if needed. Next enter 'enable' mode on the router by typing enable. Next type 'show ip arp' if done correctly you.
- Cisco find port by Mac Address – At times, network and IT admins are faced with the challenge to find out which device is connected to which port of the catalyst Switch or which port of the switch is a specific device mac address coming from.
- Mac address-table static. Adds static entries to the MAC address table or configures a static MAC address with IGMP snooping disabled for that address. Show mac address-table aging-time. Displays information about the time-out values for the MAC address table. Show mac address-table count. Displays the number of entries currently in the MAC.
If you have a big network with multiple Access Switches connecting to the core switches or routers then tracing a device like a PC or a laptop for troubleshooting or security purposes is one of those tasks that you often end up doing. This is not a difficult task but can certainly be time consuming.
Lets start with an IP address on hand. If you have an IP address on hand quickly ping and check if the device is pingable. If yes, then simply logon to one of your core switches or routers and do a simple sh ip arp
Core1# sh ip arp 192.168.1.15
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.15 22 0000.1111.1111 ARPA Vlan1
Internet 192.168.1.15 22 0000.1111.1111 ARPA Vlan1
From the above you know the MAC Address of for the device:
IP Address : 192.168.1.15
MAC Address : 0000.1111.1111
MAC Address : 0000.1111.1111
Now, do a show mac-address command on the core switch or router. This will show the interface to which it is connected or through which it is learned.
Core1# sh mac-address-table address 0000.1111.1111
Legend: * – primary entry
age – seconds since last seen
n/a – not available
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Te1/1
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Te1/1
This indicates that the device is either connected to the port or though another switch which is connected to the interface. Looking at this, it is very likely that this is a uplink (TenGigabit Ethernet link) to another Distribution or Access switch.
Sometimes, the output might show as follows [note the Po1]
Legend: * – primary entry
age – seconds since last seen
n/a – not available
age – seconds since last seen
n/a – not available
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Po1
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Po1
This indicates that there is a etherchannelis being setup. So do a 'show etherchannel' command to find the phsycial ports that are paired.
Core1# show etherchannel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
M – not in use, minimum links not met
u – unsuitable for bundling
w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators: 6
u – unsuitable for bundling
w – waiting to be aggregated
Number of channel-groups in use: 6
Number of aggregators: 6
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) – Te1/1(P) Te2/1(P)
——+————-+———–+———————————————–
1 Po1(SU) – Te1/1(P) Te2/1(P)
This shows the ports Te1/1 or Te2/1 as a source through which the address is learnt.
Now, do a 'show cdp neighbors' to show the directly connected devices.
Now, do a 'show cdp neighbors' to show the directly connected devices.
Core1# sh cdp neighbors
Mac Address For Cisco
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
Access1 Ten 1/1 129 R S I WS-C6509 Ten 1/1
Access1 Ten 1/1 129 R S I WS-C6509 Ten 1/1
Mac Address For Cisco Ip Phones
That tells you, it is the Access switch 1 that is connected to Te1/1 and not the device itself.
Now, log onto the Access switch and do a 'show mac-adddress-table' command for the MAC address and that should show the interface to which it is connected
[NOTE: unless it is a distribution switch to again there are a bunch of Access switches connected in which case, you need to go through the whole procedure as above again]
Access1# show mac-address-table 0000.1111.1111
vlan mac address type learn age ports
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Gi1/24
——+—————-+——–+—–+———-+————————–
Supervisor:
* 1 0000.1111.1111 dynamic Yes 10 Gi1/24
As you can see which port the device is connected and on which switch.
Now do a 'show interface' command to show the port details.
Access1>sh int gigabitEthernet 1/24
Cisco Mac Address Lookup Model
GigabitEthernet1/24 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
…..
…
..
.
There you go you found the device switchport that you tried to trace!!!
Hardware is C6k 1000Mb 802.3, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
…..
…
..
.
There you go you found the device switchport that you tried to trace!!!
Mac Address For Cisco Switches
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!