mac address

Answered Question
Jun 5th, 2008
User Badges:

Hello,


On router interface I receive IP packets with spoofed IP addresses. Is there a way, besides network sniffing, to see on the router source MAC address of that packet?

Correct Answer by Kevin Dorrell about 8 years 9 months ago

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.


Kevin Dorrell

Luxembourg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kevin Dorrell Thu, 06/05/2008 - 07:09
User Badges:
  • Green, 3000 points or more

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.


Kevin Dorrell

Luxembourg

Paolo Bevilacqua Fri, 06/06/2008 - 09:12
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

No, source mac for each is not available to see with regular commands.

Richard Burts Fri, 06/06/2008 - 09:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

antonio


Kevin is correct that if you have an access list on the interface that you can add log-input and the message in the logs will include the source MAC address. Be aware that this would be the MAC address of the device that forwarded the packet to you and not necessarily the MAC of the device that originated the packet.


HTH


Rick

Paolo Bevilacqua Fri, 06/06/2008 - 09:25
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

How do you make an ACL that logs MAC? What I get from mines is like:


Jun 6 19:23:44: %SEC-6-IPACCESSLOGP: list internet permitted tcp X.X.222.50(24622) -> X.X.43.26(23), 1 packet


Richard Burts Fri, 06/06/2008 - 09:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paolo


I am not clear whether your access list is configured with log (I think this is probably what you have) or with log-input. Here is an example of one of our access lists using log-input:

Jun 3 18:37:30 EDT: %SEC-6-IPACCESSLOGP: list 121 denied udp 192.168.128.158(137) (FastEthernet0/1 0090.27ae.c343) -> 192.168.128.159(137), 3 packets


HTH


Rick

Paolo Bevilacqua Fri, 06/06/2008 - 09:34
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes, I was using "log". I didn't even knew of "log-input". Thanks for clarifying.


Options with partial naming overlap are a great source of confusion, but apparently cisco doesn't care :(

Richard Burts Fri, 06/06/2008 - 09:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Paolo


Yes name overlap can generate quite a bit of confusion. The one that I sometimes see is:

no exec (which stops the exec process on a console or vty)

no exec-timout (which disables the inactivity timeout on a console or vty)


Every once is a while I run into someone who has a console or a vty that appears to be dead but turns out to have no exec configured.


HTH


Rick

Actions

This Discussion