cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28974
Views
0
Helpful
4
Replies

Mac move question

nawas
Level 4
Level 4

I enabled mac move feature so that I can track when people move their pc from their desk to a different desk or whenever a big move occures in the origanization but after enabling this feature doesn't looks to be very useful. I get tons on mac move syslog whenever a user logs in to his pc.

Sep 29 08:05:35.450: %C4K_EBM-4-HOSTFLAPPING: Host 00:xx:bb:XX:0E:3e in vlan 890 is moving from port Po55 to port Gi6/17
Po55 is the uplink port of the switch- I want to be able to see a syslog entry only when a user move from one switchport to another switchport (not the uplink port). Is it possible or doable? My configuration for mac move is
snmp-server host x.x.x.x traps public mac-notification
snmp-server enable traps mac-notification move
mac address-table notification mac-move

4 Replies 4

danrya
Level 1
Level 1

The "mac-address-table notification mac-move" command causes the switch to generate a syslog when a mac-address changes ports.  It doesn't generate a syslog when a mac-address is added or removed from the CAM table.  So, that means that this address was in the CAM table and pointed to the uplink, and then moved to the Gig port.

It sounds like that's what your getting and what your looking for.  Why would the user move from the uplink to a local port?  Was the user connected to another switch then moved to this port on this switch?  Can you look for this user in the syslog and see what "other" switch they were connected to?  If this is a wireless user, they could move quite often between AP's.  If the AP's are bridging, then you'll see the MAC from the client moving between AP's (or uplinks).

Dan

"The "mac-address-table notification mac-move" command causes the switch to generate a syslog when a mac-address changes ports.  It doesn't generate a syslog when a mac-address is added or removed from the CAM table.  So, that means that this address was in the CAM table and pointed to the uplink, and then moved to the Gig port."

I agree This is I want but I don't want to see the when an adddress move from PO55 but I want to see when an address move from any other physcial switch port.

"Why would the user move from the uplink to a local port? "

Is because I have NAC enabled, user would be in Dirty vlan to begin with and then get authenticated in a clean vlan and PO55 (the uplink) is the one send the communication to Cisco CAS.

So my questions is, is there a way I can filter the mac notification move from virtual port (PO55 in my case) but let is notify me from other physical port.

I know I'm being complicted. Thank you all for the help though.

I don't know of a way to "disable it" on an interface.  But you can filter the syslogs to only send the ones you want.  Like you said, "I know I'm being complicated", it will not be an easy thing to do.  That's a joke, your not being complicated, I understand why your trying to do this, and unfortunately it's not easy to accomplish "exactly" what you want.

Take a look at "Embedded Syslog Manager (ESM)", it might allow you to filter the syslogs so any with "po55" is not sent.

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_esm_syslog.html#wp1059491

Dan

blue phoenix
Level 1
Level 1

Hi,

Under this link:

https://cciedatacentre.blogspot.co.uk/2014/03/loop-detection-mac-move-notification-in.html

It says the notification happens if the mac moves from one port of the switch to the other port.  It means it can detect mac moves on the port on the same switch.  This is the normal behaviour since if you issue show arp then show mac address-table address <xxx.yyyy.zzz> you will then be also pointed to the uplink or port-channel which means the host resides on another switch.

So the only way you will know where the old port is if you trace the mac-address using the show mac address-table address <mac-address> command.

Cheers,

Review Cisco Networking for a $25 gift card