Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
15
Helpful
11
Replies

Obtaining Layer 2 MAC Address

ShoreSempai
Level 1
Level 1

‎05-10-2021 11:25 AM

I am working with a partner who needs the original MAC Address of devices on a subnet.  Current traffic is being forwarded from our core switch, but due to how Layer 2 works, the original MAC Address of the device is not forwarded when the traffic gets to the core switch (i.e traverses the subnet gateway).

 

I am wondering if there is any possible means to obtain the original MAC address of a device on a subnet?  I have spent hours looking at ARP, MAC Address Tables, CDP and other approaches.  I know there are vendors out there who are getting the MAC address of devices on subnets for asset fingerprinting, so I know it is possible - but cannot figure out how.

 

I am open to any approach that is practical and was hoping someone here would have some ideas or could point me in the right direction.  My hope is to find a solution that solves the issue while, if at all possible, being easy to deploy.

 

I am open to using an API or other approach - but I am new to this world and seems like my attempts all end in dead ends.

 

Truly appreciate your thoughts and ideas - thank you!!!

Labels:
0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2021 01:03 PM 

I am wondering if there is any possible means to obtain the original MAC address of a device on a subnet?  I have spent hours looking at ARP, MAC Address Tables, CDP and other approaches.  I know there are vendors out there who are getting the MAC address of devices on subnets for asset fingerprinting, so I know it is possible - but cannot figure out how.

is this device still connected to the network? once ARP Flushed you can not get that MAC Address ? until you are doing any DHCP reservation to get MAC Address? or internal track of reservation IPAM so on.

 

 

I

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ShoreSempai
Level 1
Level 1

‎05-10-2021 01:45 PM

Hi -

 

Yes, in this scenario the device is still connected or would reconnect at some point.  More than likely, because this is a critical infrastructure environment the device would have a static IP although I would need to solve for both dynamic and static.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ShoreSempai

‎05-10-2021 02:19 PM

To find the MAC Address :

 

First, you need to get the IP ARP results from where Layer 3 residing on that network.

Then find where this MAC address learning from 

Login to the destination switch issue show mac add xxx.xxx.xxxx then you see the results where it connecting.

 

come to your issue - need to look any ACL or any routing issue 

I am working with a partner who needs the original MAC Address of devices on a subnet.  Current traffic is being forwarded from our core switch, but due to how Layer 2 works, the original MAC Address of the device is not forwarded when the traffic gets to the core switch (i.e traverses the subnet gateway).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ShoreSempai
Level 1
Level 1
In response to balaji.bandi

‎05-10-2021 02:23 PM

Thanks but I am trying to do this in an automated fashion - where someone does not have to login into a system, but rather the CISCO system can provide the details either through an API or other means.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ShoreSempai

‎05-10-2021 03:08 PM

If you like to do automated fashion, you can use SSH, to do this, or is your devices support REST API ? what kind of environment you have with device models?

 

you can find many netconf, yang or rest api examples in devnet forumm

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ShoreSempai
Level 1
Level 1
In response to balaji.bandi

‎05-10-2021 03:29 PM

Actually I can do any of those - SSH or REST - I will check into the device forums and see what I can find.  THANK YOU!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ShoreSempai

‎05-11-2021 02:31 AM

until we know what is this device? what IOS code running, we are out of the option to suggest you for now.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ShoreSempai
Level 1
Level 1
In response to balaji.bandi

‎05-11-2021 06:10 AM

The challenge is that this is for a variety of different environments - so there is no one device.  The goal is to provide the solution as a means to identify network assets and fingerprint them - we can use a combination of SNMP, CDP, LLDP but we were hoping that there was a simple way to use IOS or other means to query for the MAC Address Table.    We know others have done something similar, but it seems inefficient that we would need a different approach for each network device.

0 Helpful

paul driver
VIP
VIP

‎05-11-2021 12:23 AM

Hello

@ShoreSempai wrote:
I am wondering if there is any possible means to obtain the original MAC address

Yes you can -  ping the device from the L3 core switch, then show the arp for that ip address -  sh arp | in x.x.x.x this will provide you with the original mac- address of the host.

You could then  from the core switch use the show mac address address xxxx.xxx.xxxx to trace the host down to the particualr switch and its switchport it resides on.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ShoreSempai
Level 1
Level 1
In response to paul driver

‎05-11-2021 06:11 AM

This is very helpful - if we can do this via an API or other means without being on the device it would be great.  Though one challenge is that many devices today are turning of ICMP requests I believe.  Thank you!

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-11-2021 08:21 AM

Whatever device is the 1st L3 hop should have an ARP containing all the hosts using it, their IPs and MACs.

Many such devices, that would be such a 1st L3 hop, likely support SNMP, and, if so, I suspect you can obtain the ARP table contents that way.

Alternative approaches would also include such screen scraping console/virtual-terminal access or other more "advanced" API.  However, likely SNMP access would be more available or more uniform.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents