Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

mac address

Hello,

On router interface I receive IP packets with spoofed IP addresses. Is there a way, besides network sniffing, to see on the router source MAC address of that packet?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: mac address

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

7 REPLIES

Re: mac address

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

Hall of Fame Super Gold

Re: mac address

No, source mac for each is not available to see with regular commands.

Hall of Fame Super Silver

Re: mac address

antonio

Kevin is correct that if you have an access list on the interface that you can add log-input and the message in the logs will include the source MAC address. Be aware that this would be the MAC address of the device that forwarded the packet to you and not necessarily the MAC of the device that originated the packet.

HTH

Rick

Hall of Fame Super Gold

Re: mac address

How do you make an ACL that logs MAC? What I get from mines is like:

Jun 6 19:23:44: %SEC-6-IPACCESSLOGP: list internet permitted tcp X.X.222.50(24622) -> X.X.43.26(23), 1 packet

Hall of Fame Super Silver

Re: mac address

Paolo

I am not clear whether your access list is configured with log (I think this is probably what you have) or with log-input. Here is an example of one of our access lists using log-input:

Jun 3 18:37:30 EDT: %SEC-6-IPACCESSLOGP: list 121 denied udp 192.168.128.158(137) (FastEthernet0/1 0090.27ae.c343) -> 192.168.128.159(137), 3 packets

HTH

Rick

Hall of Fame Super Gold

Re: mac address

Yes, I was using "log". I didn't even knew of "log-input". Thanks for clarifying.

Options with partial naming overlap are a great source of confusion, but apparently cisco doesn't care :(

Hall of Fame Super Silver

Re: mac address

Paolo

Yes name overlap can generate quite a bit of confusion. The one that I sometimes see is:

no exec (which stops the exec process on a console or vty)

no exec-timout (which disables the inactivity timeout on a console or vty)

Every once is a while I run into someone who has a console or a vty that appears to be dead but turns out to have no exec configured.

HTH

Rick

114
Views
5
Helpful
7
Replies