Showing results for 
Search instead for 
Did you mean: 
Jafar Tavana




One of the best practice for sysadmins is to know which user now connected to which switches and before it that user connected to where.

its good when you wont block MAC Address to move here ports or switches but you want to know when a user move here device from one port to another port or one switch to another switch.

we can prevent  movement of users PC or LapTop or any devices from one port to another port of switch or by limiting MAC Address per port we can add new limitation layer , but as we know if we enable port security for example for one switches(All ports) and set MAX-Port to 1 MAC Address, if users connect her PC to one port that not used yet, it can connect to switch or network without any problem. but we can set our switches to store information of users MAC Address connected to which ports and removed from which port, its can be another good feature for adding another layer in term of security analyze. 

in this plan we need a SNMP Server or syslog Server to catch the logs of MAC Address they received from switches and we can in the end see users MAC Address from output of the server.

Switch configuration:

its not matter how many switch you have in your corporate, just you need to configure all of that(in fact every switch you need to get MAC Address changed log) to send MAC-Address Table change to syslog Server 


Snmp-­server host traps private


and then we must enable MAC notifications to send visa SNMP Traps via this command:


Snmp­-server enable traps mac­-notification


Enable mac Address notification over switch:

Mac­-address-­table notification


after that we want send MAC Changes every 5min to NMS:


Mac­-address­-table notification interval 300


as you know by default cisco switches send SNMP Traps every 1 second and maximum buffer size is just for 1 MAC Address, so we need to change MAC Address buffer size to store more address and then send all of address stored in buffer to NMS. 


Mac-­address­-table notification history-­size 200


at this point we configure general configuration of switch then in the next step we need to configure ports to send which type of MAC Address change, in fact we have two type of MAC Address type: Add/Remove 


int f0/1

snmp trap mac-notification added 

snmp trap mac-notification removed.


your task for configure switch is over and know for sure about your configuration you can view there via this command: 


Show mac­-address-­table notification interface f0/1

Show mac­-address­-table notification





Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers