[unisog] Getting ARP tables from Cisco switches via snmp -- slightly OT

greg gaustad gaustad at eng.utoledo.edu
Wed Jan 7 21:23:31 GMT 2004


Getting mac addresses per port from a switch is not a simple matter.
There are two broad solutions

1.) Get information by polling for older switches which do not support
    solution # 2 below.  I think that mac-notification became supported
    in CATOS 6 and above.

    "How To Get Dynamic CAM Entries (CAM Table) for Catalyst Switches Using SNMP"
    Document ID: 13492
    on the Cisco web page

2.) Event driven by the mac-notification mib which sends via SNMP traps
   (which will include other trap info and requires parsing)

I have crude code to do both of the above, and get and combine with
macaddress-ipddress assignments and name-ipaddress that I can share,
if you are interested.

Greg Gaustad
Engineering College Computing
Voice:	419-530-8023
email:	gaustad at eng.utoledo.edu
Office:	NI 1010
>Mailing-List: contact unisog-help at sans.org; run by ezmlm
>X-No-Archive: yes
>List-ID: unisog
>List-Post: <mailto:unisog at sans.org>
>List-Help: <mailto:unisog-help at sans.org>
>List-Unsubscribe: <mailto:unisog-unsubscribe at sans.org>
>List-Subscribe: <mailto:unisog-subscribe at sans.org>
>List-Digest-Subscribe: <mailto:unisog-digest-subscribe at sans.org>
>List-Digest-Unsubscribe: <mailto:unisog-digest-unsubscribe at sans.org>
>Delivered-To: mailing list unisog at sans.org
>Delivered-To: moderator for unisog at sans.org
>From: Russell Fulton <r.fulton at auckland.ac.nz>
>To: unisog at sans.org
>Mime-Version: 1.0
>Date: Thu, 08 Jan 2004 08:47:12 +1300
>Content-Transfer-Encoding: 7bit
>X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
>Subject: [unisog] Getting ARP tables from Cisco switches via snmp -- slightly OT
>X-Filter-Version: 1.14 (green.eng.utoledo.edu)
>Seasons Greetings to All,
>Does anyone know the  OID to retrieve ARP tables from Cisco switches?
>We are working on a project to maintain a map of MAC, IP addrs and
>switch ports in a database that we can easily interrogate (even if the
>machine we are looking for is not on line).  We discovered the need for
>this during the frenzy of patching in the latter part of last year when
>we had frequent problems with tracking down vulnerable machines.
>WE have long maintained a data base built from the ARP tables of the
>routers that allows us to keep track of the mapping on MAC to IP and we
>want to extend this out to the edge switches.
>We can get the data by logging in and using command line functions to
>dump the tables but would much prefer to get the information via snmp. 
>The problem is that we cannot find the OID to access the tables on our
>cisco switches.  We have used snmp_walk to go though the mib but have
>not found anything.  Cisco must be using different naming conventions
>within the min between the routers and switches.  Sigh....
>Cheers and thanks, Russell
>Russell Fulton                                    /~\  The ASCII
>Network Security Officer                          \ /  Ribbon Campaign
>The University of Auckland                         X   Against HTML
>New Zealand                                       / \  Email!

More information about the unisog mailing list