Mac Address per Port

[VonRC]

Is it possible to count the number of mac addresses for a given port on a Cisco device and graph it over time? I'm trying to find rouge hubs before I turn on port security and limit to 1 per port.

RC

[TheWitness]

That's an interesting thought...

TheWitness

[VonRC]

That's an interesting thought...

Ya, I thought so too. Do you think it might work?

RC

[TheWitness]

Yes, it lines up with a port inventory feature that I have been convinced is appropriate method to extend the capabilities of the system. However, my creative juices are a bit drained at the moment.

Looking for more inspiration.

TheWitness

[egarnel]

Is it possible to count the number of mac addresses for a given port on a Cisco device and graph it over time? I'm trying to find rouge hubs before I turn on port security and limit to 1 per port.

RC

Another way to do this is to turn on switchport port-security and use the restrict mode , it will generate snmp (IOS deps) and you can capture it in the logs. We do this and make use of the alerts feature in the syslog plugin to send emails whenever port security gets tripped.



[/code]

[VonRC]

Looking for more inspiration.

*good thoughts, good thoughts, good thoughts*

does that help?

RC

[VonRC]

broken post

[VonRC]

A few obvious things:
1. The CAM table has a list of all the MAC addresses and the port number they were learned on.
2. Port security has a method to track the MAC count to enforce the security policy.

Its easy to get the CAM table via SNMP but does port security have an entry in the tree somewhere or does it just calculate the number from the CAM table?

Help me out here. I

[TheWitness]

This information is already scanned in the current product.

TheWitness

[VonRC]

A few obvious things:
1. The CAM table has a list of all the MAC addresses and the port number they were learned on.
2. Port security has a method to track the MAC count to enforce the security policy.

It

[VonRC]

A few obvious things:
1. The CAM table has a list of all the MAC addresses and the port number they were learned on.
2. Port security has a method to track the MAC count to enforce the security policy.

It

[VonRC]

I can't get my post up on the system... It keeps cutting me off. One more try only I will type it in rather than copy paste...

A few obvious things:

1. The CAM table has a list of all the MAC addresses and the port number they were learned on.
2. Port secruity has a method to track the MAC count to enforce the security policy.

It's easy to get the CAM table fiaq SNMP but doesn port security have an entry in the tree somewhere or does it just calculate the number from the CAM table?

Help me out here. I'm not sure if I'm gong to make this understandable.

We can get the CAM table and put it in a Temp SQL table and run a query something like this on it;

select port_id
count (port_id) AS NumOccurrences
from temptable
group by port_id

Once we have the NumOccurrences we could shove that in to a real table in the SQL server with a time stamp and switch id. From there it would be just a matter of getting the data back out and graphing it.

The problem is I just don't know how to put it all together and make it work.

RC

[TheWitness]

Did you not read my prior post?

[VonRC]

Did you not read my prior post?

ya, I did, I was just very frustrated that I couldn't get my post to work so I wasn't going to give in to it. I won!

RC

[TheWitness]

lol. The forum's been having issues lately. Looks like the site was down for a little bit today. Although, truth be known, I think there were some DNS issues on the web this morning.

TheWitness