Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
5
Helpful
1
Replies

Difficulties retrieving attached device MAC addresses from switches

zaheerali43958
Level 1
Level 1

‎07-16-2022 01:41 AM

We have hundred of mostly CISCO switches and I'm trying to track down all the MAC addresses (latest would be good enough) seen by all the switchports. I've been using this command, which seems to work most of the time:

snmpbulkwalk -v2c -c $community@$vlan -OXsq -m BRIDGE-MIB $switch .1.3.6.1.2.1.17.4.3.1.2

Given a specific switch, switchport, and module, I've previously queried for the VLAN (using OID 1.3.6.1.4.1.9.5.1.9.3.1.3.${module}.${portnum}) and then parse the output to locate the port I'm looking for, which provides the accompanying MAC address; e.g.

...
dot1dTpFdbPort[f0:4d:a2:70:f8:b8] 24
dot1dTpFdbPort[f0:4d:a2:70:fc:d0] 24
dot1dTpFdbPort[f0:4d:a2:70:fe:c8] 24
dot1dTpFdbPort[f8:bc:12:38:55:f0] 3
dot1dTpFdbPort[f8:bc:12:3a:1b:c] 2
dot1dTpFdbPort[f8:bc:12:3f:4b:d0] 4
dot1dTpFdbPort[f8:bc:12:3f:d4:20] 5
dot1dTpFdbPort[f8:bc:12:40:79:30] 6
dot1dTpFdbPort[f8:bc:12:40:83:a0] 1
dot1dTpFdbPort[f8:bc:12:54:25:58] 11
dot1dTpFdbPort[f8:bc:12:54:34:58] 12
dot1dTpFdbPort[f8:bc:12:54:38:b8] 10
dot1dTpFdbPort[f8:bc:12:54:9c:f8] 8
...

Based on spot checking, the switchport is the number on the right, with the attached device MAC address in the square brackets just to the left of this.

Unfortunately I can't seem to find any good documentation on the snmpbulkwalk command, nor is the Cisco description of the OID (dot1dTpFdbPort) particularly illuminating. In particular, is it showing me the last MAC address seen, or what's currently attached?

Now for the real issue. I'm noticing this works when the port module is 1 (e.g. for switchblade7-1/14), but when I give it a switch where the ports are on module 2 (e.g. switchblade6-2/6), the port information returned by the snmpbulkwalk command is spurious; e.g.

dot1dTpFdbPort[0:8:5d:37:6b:d4] 78
dot1dTpFdbPort[0:a:f7:e2:83:f6] 78
dot1dTpFdbPort[0:a:f7:e2:a3:64] 78
dot1dTpFdbPort[0:18:8b:7a:93:2b] 78
dot1dTpFdbPort[0:18:8b:7a:94:fe] 78
dot1dTpFdbPort[0:1c:23:e2:bc:30] 78
dot1dTpFdbPort[0:1d:9:66:3f:11] 78
dot1dTpFdbPort[0:1d:9:66:3f:c0] 78
dot1dTpFdbPort[0:1d:9:66:41:7d] 78
dot1dTpFdbPort[0:1d:9:66:42:bd] 78
...

In this case, the number is always 78, so I have no way of telling which port goes with which MAC address. Presumably there's a way to perform the query specifying a module (a bit unsure about the terminology) for stacked switches, but I can't find anything documenting what this would be.

Any suggestions welcome. For secured ports I'm able to use the OID 1.3.6.1.4.1.9.9.315.1.2.3.1.5.${ifindex} to get a table of attached MAC addresses, but several hundred of our switchports are not secured.

Link
Labels:
1 Reply 1

Georg Pauwen
VIP
VIP

‎07-16-2022 12:58 PM

Hello,

the number (78) has something to do with the value of the dot1dBasePort. To convert this value to the actual interface, I think you have to use the BRIDGE-MIB. Check the link below:

https://networkengineering.stackexchange.com/questions/2900/using-snmp-to-retrieve-the-arp-and-mac-address-tables-from-a-switch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card