Mac move question

Unanswered Question
Sep 29th, 2010

I enabled mac move feature so that I can track when people move their pc from their desk to a different desk or whenever a big move occures in the origanization but after enabling this feature doesn't looks to be very useful. I get tons on mac move syslog whenever a user logs in to his pc.

Sep 29 08:05:35.450: %C4K_EBM-4-HOSTFLAPPING: Host 00:xx:bb:XX:0E:3e in vlan 890 is moving from port Po55 to port Gi6/17
Po55 is the uplink port of the switch- I want to be able to see a syslog entry only when a user move from one switchport to another switchport (not the uplink port). Is it possible or doable? My configuration for mac move is
snmp-server host x.x.x.x traps public mac-notification
snmp-server enable traps mac-notification move
mac address-table notification mac-move

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
danrya Wed, 09/29/2010 - 07:30

The "mac-address-table notification mac-move" command causes the switch to generate a syslog when a mac-address changes ports.  It doesn't generate a syslog when a mac-address is added or removed from the CAM table.  So, that means that this address was in the CAM table and pointed to the uplink, and then moved to the Gig port.

It sounds like that's what your getting and what your looking for.  Why would the user move from the uplink to a local port?  Was the user connected to another switch then moved to this port on this switch?  Can you look for this user in the syslog and see what "other" switch they were connected to?  If this is a wireless user, they could move quite often between AP's.  If the AP's are bridging, then you'll see the MAC from the client moving between AP's (or uplinks).

Dan

nawas Thu, 09/30/2010 - 05:51

"The "mac-address-table notification mac-move" command causes the switch to generate a syslog when a mac-address changes ports.  It doesn't generate a syslog when a mac-address is added or removed from the CAM table.  So, that means that this address was in the CAM table and pointed to the uplink, and then moved to the Gig port."

I agree This is I want but I don't want to see the when an adddress move from PO55 but I want to see when an address move from any other physcial switch port.

"Why would the user move from the uplink to a local port? "

Is because I have NAC enabled, user would be in Dirty vlan to begin with and then get authenticated in a clean vlan and PO55 (the uplink) is the one send the communication to Cisco CAS.

So my questions is, is there a way I can filter the mac notification move from virtual port (PO55 in my case) but let is notify me from other physical port.

I know I'm being complicted. Thank you all for the help though.

danrya Thu, 09/30/2010 - 09:38

I don't know of a way to "disable it" on an interface.  But you can filter the syslogs to only send the ones you want.  Like you said, "I know I'm being complicated", it will not be an easy thing to do.  That's a joke, your not being complicated, I understand why your trying to do this, and unfortunately it's not easy to accomplish "exactly" what you want.

Take a look at "Embedded Syslog Manager (ESM)", it might allow you to filter the syslogs so any with "po55" is not sent.

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_esm_syslog.html#wp1059491

Dan

Actions

Login or Register to take actions

This Discussion

Posted September 29, 2010 at 6:14 AM
Stats:
Replies:3 Avg. Rating:
Views:2608 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,730
4 7,083
5 6,742
Rank Username Points
140
72
69
65
45