Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Cisco - mac-address-table notification [Solved] [ish]
New Posts  All Forums:Forum Nav:

Cisco - mac-address-table notification [Solved] [ish]

post #1 of 9
Thread Starter 
Hey all,

I am trying to get some cisco 3550's / 3650's to log chnages in mac addresses on them. At the moment its looking like this is done thoguh snmp
Code:
# snmp-server host
# snmp-server enable traps mac-notification
# mac address-table notification
# mac address-table notification interval 0
# interface fastethernet0/1

(Update me instantly when something moves),

which is all well and good, but i was wondering if there is a way to get this going to the syslog server like the other log messages can,

From what it looks like SNMP is he only way to do it as when it goes to the syslog server is something along the lines of
Code:
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
2d12h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

even when everythign set to deubg like
Code:
#logging cns-events 7
#logging console 7
#logging monitor 7
#logging on 


Thanks In advance!
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #2 of 9
i think what you are looking for is


snmp mib notification-log

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ftmiblog.html

http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf014.html
Edited by bratas - 9/4/13 at 11:11am
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #3 of 9
Either that, or at work we are having each port send their own traps with the mac addresses. Port config lines below.
Code:
snmp trap mac-notification change added
snmp trap mac-notification change removed
Teh Gam3r
(18 items)
 
Home server
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4770 Gigabyte GA-Z87X-D3H Z87 RT Gigabyte GTX 1070 G1 G Skill Cheapo DDR3 1600 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Solid 3 Seagate Crucial SSD LG Sata DVD-RW 
CoolingOSMonitorMonitor
Noctua NH-U9B Windows 10 Pro Cheap 2560x1440 knock off Samsung T240HD  
KeyboardPowerCaseMouse
Logitech G910 Corsair TX750 Cooler Master HAF 932 Logitech G502 
Mouse PadAudio
Steel Series QcK+ SteelSeries Siberia Elite Prism 
CPUMotherboardGraphicsRAM
AMD Phenom X4 9500 Asus M3N78 Pro On board Corsair XMS2 DDR2 800 
Hard DriveHard DriveHard DriveHard Drive
Western Digital Velociraptor Samsung Sata Hitatchi Samsung 
Optical DriveCoolingOSPower
Polaroid USB DVD ROM Thermaltake TR2-R1 CentOS6 x86_64 Ultra 600W 
Case
Ultra X-Blaster 
  hide details  
Reply
Teh Gam3r
(18 items)
 
Home server
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4770 Gigabyte GA-Z87X-D3H Z87 RT Gigabyte GTX 1070 G1 G Skill Cheapo DDR3 1600 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Solid 3 Seagate Crucial SSD LG Sata DVD-RW 
CoolingOSMonitorMonitor
Noctua NH-U9B Windows 10 Pro Cheap 2560x1440 knock off Samsung T240HD  
KeyboardPowerCaseMouse
Logitech G910 Corsair TX750 Cooler Master HAF 932 Logitech G502 
Mouse PadAudio
Steel Series QcK+ SteelSeries Siberia Elite Prism 
CPUMotherboardGraphicsRAM
AMD Phenom X4 9500 Asus M3N78 Pro On board Corsair XMS2 DDR2 800 
Hard DriveHard DriveHard DriveHard Drive
Western Digital Velociraptor Samsung Sata Hitatchi Samsung 
Optical DriveCoolingOSPower
Polaroid USB DVD ROM Thermaltake TR2-R1 CentOS6 x86_64 Ultra 600W 
Case
Ultra X-Blaster 
  hide details  
Reply
post #4 of 9
Quote:
Originally Posted by Ulquiorra View Post

which is all well and good, but i was wondering if there is a way to get this going to the syslog server like the other log messages can,

From what it looks like SNMP is he only way to do it as when it goes to the syslog server is something along the lines of
Quote:
Originally Posted by herkalurk View Post

Either that, or at work we are having each port send their own traps with the mac addresses. Port config lines below.
Code:
snmp trap mac-notification change added
snmp trap mac-notification change removed


that would be fine but he is asking how to send SNMP to Syslog, not which traps to use to collect mac addresses.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #5 of 9
Thread Starter 
Quote:

Holllyyyy shiz, thats looking like its what i want, create a local log that has all the content of the snmp logs, now it depends if log hsot forwards this to the server! (Shame i cnt test it this weekend to see if its good or not!)
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #6 of 9
Quote:
Originally Posted by bratas View Post


that would be fine but he is asking how to send SNMP to Syslog, not which traps to use to collect mac addresses.

To be honest, we do have a snmp trap receiver active in a linux box, which converts the trap to syslog, and outputs to file. A lot more elaborate than what you're suggesting. But it's helped us to map out exactly where each physical port on the wall hooks into the switch. Years of bad documentation is slowly being destroyed.
Teh Gam3r
(18 items)
 
Home server
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4770 Gigabyte GA-Z87X-D3H Z87 RT Gigabyte GTX 1070 G1 G Skill Cheapo DDR3 1600 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Solid 3 Seagate Crucial SSD LG Sata DVD-RW 
CoolingOSMonitorMonitor
Noctua NH-U9B Windows 10 Pro Cheap 2560x1440 knock off Samsung T240HD  
KeyboardPowerCaseMouse
Logitech G910 Corsair TX750 Cooler Master HAF 932 Logitech G502 
Mouse PadAudio
Steel Series QcK+ SteelSeries Siberia Elite Prism 
CPUMotherboardGraphicsRAM
AMD Phenom X4 9500 Asus M3N78 Pro On board Corsair XMS2 DDR2 800 
Hard DriveHard DriveHard DriveHard Drive
Western Digital Velociraptor Samsung Sata Hitatchi Samsung 
Optical DriveCoolingOSPower
Polaroid USB DVD ROM Thermaltake TR2-R1 CentOS6 x86_64 Ultra 600W 
Case
Ultra X-Blaster 
  hide details  
Reply
Teh Gam3r
(18 items)
 
Home server
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4770 Gigabyte GA-Z87X-D3H Z87 RT Gigabyte GTX 1070 G1 G Skill Cheapo DDR3 1600 
Hard DriveHard DriveHard DriveOptical Drive
OCZ Solid 3 Seagate Crucial SSD LG Sata DVD-RW 
CoolingOSMonitorMonitor
Noctua NH-U9B Windows 10 Pro Cheap 2560x1440 knock off Samsung T240HD  
KeyboardPowerCaseMouse
Logitech G910 Corsair TX750 Cooler Master HAF 932 Logitech G502 
Mouse PadAudio
Steel Series QcK+ SteelSeries Siberia Elite Prism 
CPUMotherboardGraphicsRAM
AMD Phenom X4 9500 Asus M3N78 Pro On board Corsair XMS2 DDR2 800 
Hard DriveHard DriveHard DriveHard Drive
Western Digital Velociraptor Samsung Sata Hitatchi Samsung 
Optical DriveCoolingOSPower
Polaroid USB DVD ROM Thermaltake TR2-R1 CentOS6 x86_64 Ultra 600W 
Case
Ultra X-Blaster 
  hide details  
Reply
post #7 of 9
Thread Starter 
Quote:
Originally Posted by herkalurk View Post

To be honest, we do have a snmp trap receiver active in a linux box, which converts the trap to syslog, and outputs to file. A lot more elaborate than what you're suggesting. But it's helped us to map out exactly where each physical port on the wall hooks into the switch. Years of bad documentation is slowly being destroyed.

Heh i looked at doing this but got shot down by my line manager ;D. SNMP is sadlu a no go in any respect which is a shame but oh well ^_^'


Edit:- The local logging didnt work T_T, why are cisco so poular whyyyyyy *breaks down* rolleyes.gif
Edited by Ulquiorra - 9/13/13 at 8:36am
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #8 of 9
Thread Starter 
So just to update this in case anyones stubles upon this in the future >


Even with the notifcation log it doesnt pipe it to the Rsyslog server so SNMP was the only way of doing this, it was set up to use snmp as it was the only method, the only traps sent out by the switches are the mac notifcations. Then run it though ossec to get a nice warning every time someone adds or removes a device on the network (oh the joy of reading them reports!) . All i need to do now is look into a way to encrypt the snmp traffic >_<<br />
Thanks for your help guys smile.gif
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #9 of 9
Quote:
Originally Posted by Ulquiorra View Post

encrypt the snmp traffic >_<</div>

Y u no v3
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Cisco - mac-address-table notification [Solved] [ish]