Monitoring MAC addresses at Catalyst 4006

Unanswered Question
Jun 25th, 2007

Hi all,

I have a need to monitor MAC address changes at a Catalyst 4006.

I have enabled to track down the changes into the cam notification, but I'd like to send the changes to a syslog.

I've been messing with snmp traps but havent found the way to it.

Can you help me?

Also do you know any GUI for managing a 4006 and a 4003 ?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Mon, 06/25/2007 - 22:31

The MAC notifications are only available via SNMP traps. Using an external gateway, you could change these traps into syslog messages, however.

As for a graphical management tool, your best bet would be CiscoView which is part of CiscoWorks LAN Management Solution. It will present you a full chassis view and allow you to monitor and configure per-port as well as chassis attributes.

Joe Clarke Tue, 06/26/2007 - 07:43

I do not have any example code to translate an SNMP trap into a syslog message.

sokin_pap Wed, 06/27/2007 - 22:23

I'm receiving this in syslog but I dont know what it actually means.

2007-06-27 17:38:39 Local7.Info x.y.z.20 community=public enterprise=1.3.6.1.4.1.9.9.215.2.1 enterprise_mib_name=cmnMacChangedNotification uptime=-1200749739 agent_ip=x.y.z.20 generic_num=6 specific_num=1 version=Ver1 var01_oid=1.3.6.1.4.1.9.9.215.1.1.8.1.2.1250 var01_value="Hex String=01 00 01 00 00 AA 6F 07 19 00 DC 01 00 01 00 50 04 65 18 4D 00 DC 00" var01_mib_name=cmnHistMacChangedMsg.1250 var01_value="Hex String=01 00 01 00 00 AA 6F 07 19 00 DC 01 00 01 00 50 04 65 18 4D 00 DC 00" var02_oid=1.3.6.1.4.1.9.9.215.1.1.8.1.3.1250 var02_value=3094217557 var02_mib_name=cmnHistTimestamp.1250 var02_value=3094217557

How can I translate these into smtg I can understand ?

Joe Clarke Wed, 06/27/2007 - 22:40

This is a cmnMacChangedNotification trap from the CISCO-MAC-NOTIFICATION-MIB. It looks like this trap message is as detailed as it's going to get in this management application. But I'm not sure what management application you're using, so I can't say that for certain.

var1 is cmnHistMacChangedMsg which is the change notification message. This is an octet string in the format ... where each tuple is in the format . So, this message says that the MAC 00:00:AA:6F:07:19 was learned by this switch on the port with the dot1dBasePort value of 220. This port is in VLAN 1. The messages goes on to say that MAC 00:50:04:65:18:4D was learned on the port with the dot1dBasePort value of 220 (same port as the first MAC). The first MAC is from a Xerox device, and the second is from a 3com device.

var2 is cmnHistTimestamp of the value of sysUpTime on the device when the events mentioned in cmnHistMacChangedMsg occurred. In this case, the switch had been up for just over 51 weeks.

sokin_pap Wed, 06/27/2007 - 23:04

I'm using Kiwi syslog. Do you recommend something else ? (preferably freeware)

Is there a document that I can use to understand how you "translate" it ?

Otherwise can you help me a little bit further to understand it ?

I appreciate your help!

Thanks!

Joe Clarke Wed, 06/27/2007 - 23:14

I use net-snmp (http://net-snmp.sourceforge.net), but Kiwi might be a bit easier to use. Everything you will need to translate the varbinds in this trap can be found in the CISCO-MAC-NOTIFICATION-MIB and the BRIDGE-MIB. Looks like you have the former loaded into Kiwi already. I imagine you might also have the latter loaded as well.

Just read the description for the trap in the CISCO-MAC-NOTIFICATION-MIB, then read the descriptions for the two varbind objects. The only cross referencing you will need to do for this trap is to understand the dot1dBasePort that is defined in the BRIDGE-MIB.

Actions

This Discussion