6500 SNMP Trap for New ARP Entries ?

dumlutimuralp · ‎05-25-2008

Hi all,

Does anyone know if the 6500 is capable of sending SNMP traps or logs to a management station or itself, whenever a new ARP entry occurs or a new MAC address is learned ?

Customer does not want to query the 6500 periodically. Instead they require a trap or log sent to the management station ? Anyone has done anything like this before ?

Thanks in advance.

Joe Clarke · ‎05-25-2008

Such a feature exists for CAM table entries (using the CISCO-MAC-NOTIFICATION-MIB), but not for ARP entries. You could create such a notification, though, by using the Embedded Event Manager. You could write an EEM Tcl policy which periodically checks the ARP table for changes, and sends a trap indicating a change has occurred, and even include the new entry data.

This will require you to be running 12.2(18)SXF4 (modular IOS) or 12.2(18)SXF5 (native IOS). See http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd805457c3.html for more on EEM on the 6500s. Checkout http://www.cisco.com/go/ciscobeyond/ for some good EEM examples.

mdcarey15 · ‎06-03-2008

I'm also looking for this "Arpwatch" functionality. Wouldn't the EEM Tcl script overwhelm the router checking the ARP table for changes?

Joe Clarke · ‎06-03-2008

Potentially, yes. It would depend on the size of the table, and frequency of the EEM policy. Testing out a solution in the lab would be a must. There is one tool in IOS that would help with implementing this feature. You could dump the arp table to a file on flash, then use "show archive config differences" to diff the current table to the last run table. Then iterate through the modified lines to generate traps.