MAC address tracking with NMS

Let’s assume that I have a port open in my Cisco switch for guest users and I would like to keep track of the new mac-addresses that are added or existing mac-addresses that are removed from that port.

I have a NMS (Network Management System), capable of receiving SNMP, traps that will send me an e-mail alert whenever one of the above mentioned situations happens.

For this test I did use the following IP addresses:
– Cisco switch L3 interface from where the SNMP traps will be send: Lo10, 1.1.1.1 /32
– Cisco switch L2 port where I want to track the mac-address change: Fa0/10
– NMS IP address: 172.31.82.254
– SNMP community string: Cisco

OK, this is a simple example, but it can be useful in some situation or for Cisco exam preparation.

First let’s bring the Lo10 interface UP and configure the IP address. Please keep in mind that without a L3 interface the SNMP configuration will raise an alarm and the system will not work.

interface Loopback10
 ip address 2.2.2.2 255.255.255.255

Next, I’ll configure the SNMP part:

SW(config)#snmp-server host 172.31.82.254 traps Cisco
SW(config)#snmp-server enable traps mac-notification

Following is the actual configuration for mac-address change notification:

SW(config-if)#snmp trap mac-notification change ?
  added    Enable Mac Address added notification for this port
  removed  Enable Mac Address removed notification for this port

The above lines show the possible options. You can use them both if you want to receive notification for adding and removing of the mac-address or any of these options separately. I did use both for this test.

Let’s verify if the configuration is applied correctly:

SW#show mac address-table notification change interface fa0/10
MAC Notification Feature is Disabled on the switch
Interface            MAC Added Trap MAC Removed Trap
---------            -------------- ----------------
FastEthernet0/10     Enabled        Enabled

I find this helpful if you have open ports which require special attention and for some reason you cannot use some technique like dot1x or lock them on static mac-address.