cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
5
Helpful
7
Replies

mac address

Antonio_1_2
Level 1
Level 1

Hello,

On router interface I receive IP packets with spoofed IP addresses. Is there a way, besides network sniffing, to see on the router source MAC address of that packet?

1 Accepted Solution

Accepted Solutions

Kevin Dorrell
Level 10
Level 10

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

View solution in original post

7 Replies 7

Kevin Dorrell
Level 10
Level 10

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

paolo bevilacqua
Hall of Fame
Hall of Fame

No, source mac for each is not available to see with regular commands.

antonio

Kevin is correct that if you have an access list on the interface that you can add log-input and the message in the logs will include the source MAC address. Be aware that this would be the MAC address of the device that forwarded the packet to you and not necessarily the MAC of the device that originated the packet.

HTH

Rick

HTH

Rick

How do you make an ACL that logs MAC? What I get from mines is like:

Jun 6 19:23:44: %SEC-6-IPACCESSLOGP: list internet permitted tcp X.X.222.50(24622) -> X.X.43.26(23), 1 packet

Paolo

I am not clear whether your access list is configured with log (I think this is probably what you have) or with log-input. Here is an example of one of our access lists using log-input:

Jun 3 18:37:30 EDT: %SEC-6-IPACCESSLOGP: list 121 denied udp 192.168.128.158(137) (FastEthernet0/1 0090.27ae.c343) -> 192.168.128.159(137), 3 packets

HTH

Rick

HTH

Rick

Yes, I was using "log". I didn't even knew of "log-input". Thanks for clarifying.

Options with partial naming overlap are a great source of confusion, but apparently cisco doesn't care :(

Paolo

Yes name overlap can generate quite a bit of confusion. The one that I sometimes see is:

no exec (which stops the exec process on a console or vty)

no exec-timout (which disables the inactivity timeout on a console or vty)

Every once is a while I run into someone who has a console or a vty that appears to be dead but turns out to have no exec configured.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco