Solved: Some range of MAC addresses which cannot obtain by SNMP

m.torii · ‎08-18-2012

Hello network exparts.

I have a problem to get MAC address from Catalyst swiches using Net-SNMP.

"snmpwalk -v 2c -c communityname switchname .1.3.6.1.2.1.17.4.3.1.1" does not answer some range of MAC addresses. The version of snmpwalk is 5.6.1 and 5.7.

Suppose hexadecimal number XX is in range 20 <= XX <= 7e, if all XX of MAC address XX:XX:XX:XX:XX:XX is in this range, Catalyst switches do not answer this MAC address via SNMP, but I can get the address by command line "show mac address-table"

I made ARP packet by Linux arping command "arping -0 -s 20:20:20:20:20:20 -p DST-IP-address" ( -s switch means SRC-MAC address) , but 20:20:20:20:20:20 is not obtaind by snmpwalk. But when I tried "arping -0 -s 20:20:20:20:7f:20 -p DST-IP-address", snmpwalk replies "Hex-STRING: 20 20 20 20 7F 20".

This test is done on Vlan 1 (Native), I tried VLAN-indexed "snmpwalk -v 2c -c communityname@1 switchname .1.3.6.1.2.1.17.4.3.1.1", but no improvement.

I only checked Catalyst IOS version 15.0(1)SE3 (2960,2960G,2960S,3750X) and 12.2(55)SE6 (3750G). But I think all of IOS-15.0 and IOS-12.X have this problem.

Vinod Arya · ‎08-19-2012

Glad to see the good news. Hope the guide was helpful.

You may close this thread if the issue is resolved.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

srkala · ‎08-18-2012

Hi,

whenever you try to do snmpwalk is the walk getting timeout? also have you tried snmpwalk on any other vlan?

Vinod Arya · ‎08-19-2012

Your OID is correct, but this is not the right way to get Mac-address table details. SNMP v1 and v2c requires SNMP Community String Indexing to see mac-add on per Vlan basis.

That means you have to add @ number to get mac-add details/vlan on the above command.

Example :

You Tried :

snmpwalk -v 2c -c communityname switchname .1.3.6.1.2.1.17.4.3.1.1

It should be :

snmpwalk -v 2c -c communityname@ switchname .1.3.6.1.2.1.17.4.3.1.1

ex:

snmpwalk -v 2c -c communityname@1 switchname .1.3.6.1.2.1.17.4.3.1.1

For more details on this check the document :

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

m.torii · ‎08-19-2012

Thank you exparts.

I tried both

snmpwalk -v 2c -c communityname switchname .1.3.6.1.2.1.17.4.3.1.1

snmpwalk -v 2c -c communityname@1 switchname .1.3.6.1.2.1.17.4.3.1.1

They return the same reply ( not timeout, other MAC addresses are obtained correctly ), becouse only Native-VLAN1 is used on my switches. I belibe this is not a VLAN problem, I suspect that SNMP server of IOS has a bug, dropping some MAC addresses from learnled MAC address list.

In my network, I cannot find the place of a SONY PC whose MAC address is 54:42:49:63:54:5f, because every hexadecimals 54,42,49,63,54,5f is in range 20<=X<=7e. If a intruder changes MAC address of the victim device to 20:20:20:20:20:20, network administrators cannot find the place of him by SNMP.

m.torii · ‎08-19-2012

Sorry, this is self reply.

By investigating snmpwalk of OID .1.3.6.1.2.1.17.4.3.1.2 (not .1.3.6.1.2.1.17.4.3.1.1), I found that the OID part after .1.3.6.1.2.1.17.4.3.1.2 gives learned MAC address in decimal number. Converting them to hexadecimal numbers, I can get the same MAC-address list obtained by command "show mac address-table".

Thank you.

Vinod Arya · ‎08-19-2012

Glad to see the good news. Hope the guide was helpful.

You may close this thread if the issue is resolved.

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **