[unisog] Getting ARP tables from Cisco switches via snmp -- slightly OT
gaustad at eng.utoledo.edu
Wed Jan 7 21:23:31 GMT 2004
Getting mac addresses per port from a switch is not a simple matter.
There are two broad solutions
1.) Get information by polling for older switches which do not support
solution # 2 below. I think that mac-notification became supported
in CATOS 6 and above.
"How To Get Dynamic CAM Entries (CAM Table) for Catalyst Switches Using SNMP"
Document ID: 13492
on the Cisco web page
2.) Event driven by the mac-notification mib which sends via SNMP traps
(which will include other trap info and requires parsing)
I have crude code to do both of the above, and get and combine with
macaddress-ipddress assignments and name-ipaddress that I can share,
if you are interested.
Engineering College Computing
email: gaustad at eng.utoledo.edu
Office: NI 1010
>Mailing-List: contact unisog-help at sans.org; run by ezmlm
>List-Post: <mailto:unisog at sans.org>
>List-Help: <mailto:unisog-help at sans.org>
>List-Unsubscribe: <mailto:unisog-unsubscribe at sans.org>
>List-Subscribe: <mailto:unisog-subscribe at sans.org>
>List-Digest-Subscribe: <mailto:unisog-digest-subscribe at sans.org>
>List-Digest-Unsubscribe: <mailto:unisog-digest-unsubscribe at sans.org>
>Delivered-To: mailing list unisog at sans.org
>Delivered-To: moderator for unisog at sans.org
>From: Russell Fulton <r.fulton at auckland.ac.nz>
>To: unisog at sans.org
>Date: Thu, 08 Jan 2004 08:47:12 +1300
>X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
>Subject: [unisog] Getting ARP tables from Cisco switches via snmp -- slightly OT
>X-Filter-Version: 1.14 (green.eng.utoledo.edu)
>Seasons Greetings to All,
>Does anyone know the OID to retrieve ARP tables from Cisco switches?
>We are working on a project to maintain a map of MAC, IP addrs and
>switch ports in a database that we can easily interrogate (even if the
>machine we are looking for is not on line). We discovered the need for
>this during the frenzy of patching in the latter part of last year when
>we had frequent problems with tracking down vulnerable machines.
>WE have long maintained a data base built from the ARP tables of the
>routers that allows us to keep track of the mapping on MAC to IP and we
>want to extend this out to the edge switches.
>We can get the data by logging in and using command line functions to
>dump the tables but would much prefer to get the information via snmp.
>The problem is that we cannot find the OID to access the tables on our
>cisco switches. We have used snmp_walk to go though the mib but have
>not found anything. Cisco must be using different naming conventions
>within the min between the routers and switches. Sigh....
>Cheers and thanks, Russell
>Russell Fulton /~\ The ASCII
>Network Security Officer \ / Ribbon Campaign
>The University of Auckland X Against HTML
>New Zealand / \ Email!
More information about the unisog