Using SNMP to retrieve the ARP and mac-address tables from a switch

  • I would like to get ARP tables from a switch to a syslog-ng server that has been set up on Ubuntu Server 12.04 LTS. I have read about SNMP and I know the server will act as a manager and the switch as an agent. I have details as to where the MIB is contained, and I must use the command

    snmpwalk -v2c -c <community> <SwitchIP> .1.3.6.1.2.1.17.4.3.1.2
    

    I want the resulting arp tables to be directed to a my server.

    My problem is that I don't know where exactly to run the command, or save the output to a file.

    Hi, adding information to a database is off-topic... [su] is a good place to ask if you need help modifying a database. If you don't mind deleting that portion of the question, we can reopen it.

    I have modified my question

    What do you mean by "place the ARP tables into the server"?

    The Arp tables will be generated by the switch, but i want them viewed from the server

    What if we told you how to put them in a text file... is that ok?

    Yes its acceptable

    What brand and type of switch are you talking about. Availability of ARP tables via SNMP may differ per implementation. Also, is this a layer 3 switch, or are you really interested in ARP on a switch?

    its a layer 3 switch cisco cat2960

  • There seems to be a little confusion... you are asking about ARP tables, and you're using OID .1.3.6.1.2.1.17.4.3.1.2; however, that OID actually is for the mac-address table in the switch.

    I am assuming you know how to login to your Ubuntu server, and that NET-SNMP is installed... please let me know if you need pointers for doing this (see this question for hints about loading MIBs in linux). Some of my examples assume you have the MIBs loaded on your server... you just need to remove the -m <mib-name> option in the commands if you don't have the MIBs loaded locally.

    I apologize in advance for the length of this answer... I wish polling with SNMP wasn't as complicated...

    Polling the mac-address table:

    If you really want the mac-address table from the switch, then remember you have to change the community string you poll with... it should be in the form of <[email protected]>... each vlan you poll needs a different community.

    In my example below, the switch at 172.16.1.210 is configured with snmp-server community public ro, and I'm polling the mac-address table in vlan-10 with dot1dTpFdbPort from BRIDGE-MIB.

    [[email protected] ~]$ snmpbulkwalk -v 2c -c [email protected] -OXsq 172.16.1.210 \
      .1.3.6.1.2.1.17.4.3.1.2
    dot1dTpFdbPort[0:6:53:fe:39:e0] 52
    dot1dTpFdbPort[0:1d:a1:cd:53:46] 52
    dot1dTpFdbPort[0:30:1b:bc:a7:d7] 52
    dot1dTpFdbPort[0:80:c8:0:0:0] 52
    dot1dTpFdbPort[38:ea:a7:6d:2e:8e] 52
    dot1dTpFdbPort[80:ee:73:2f:b:40] 52
    [[email protected] ~]$
    

    In the output above, 52 is the value of dot1dBasePort, which is a number the MIB uses to index the dot1dTp table. To translate that into a normal interface name, you have to map that to an ifName... BRIDGE-MIB does that with dot1dBasePortIfIndex...

    [[email protected] ~]$ snmpbulkwalk -v 2c -c [email protected] -m BRIDGE-MIB 172.16.1.210 \
      .1.3.6.1.2.1.17.1.4.1.2
    BRIDGE-MIB::dot1dBasePortIfIndex.52 = INTEGER: 10048
    [[email protected] ~]$
    [[email protected] ~]$ snmpget -v 2c -c public 172.16.1.210 ifName.10048
    IF-MIB::ifName.10048 = STRING: Fa0/48
    [[email protected] ~]$
    

    Thus we know that all the mac-addresses on this switch were learned through FastEthernet 0/48 in vlan-10.

    Polling the active Vlans:

    If you're not sure which vlans to poll on a switch, you can get that information from .1.3.6.1.4.1.9.9.46.1.3.1.1.2, which is vtpVlanState in the CISCO-VTP-MIB...

    [[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq -m CISCO-VTP-MIB 172.16.1.210 \
       .1.3.6.1.4.1.9.9.46.1.3.1.1.2
    vtpVlanState[1][1] operational
    vtpVlanState[1][10] operational
    vtpVlanState[1][1002] operational
    vtpVlanState[1][1003] operational
    vtpVlanState[1][1004] operational
    vtpVlanState[1][1005] operational
    [[email protected] ~]$
    

    Keep in mind that Vlans 1002-1005 are internal Cisco Vlans that you should not poll.

    Polling the ARP table

    If you really want the ARP table from the switch, then you need to poll atPhysAddress...

    [[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq  172.16.1.210 \
      .1.3.6.1.2.1.3.1.1.2
    atPhysAddress[10][1.172.16.1.5] "80 EE 73 2F 0B 40 "
    atPhysAddress[10][1.172.16.1.25] "38 EA A7 6D 2E 8E "
    atPhysAddress[10][1.172.16.1.32] "BC 51 FE 50 16 F8 "
    atPhysAddress[10][1.172.16.1.200] "00 06 53 FE 39 E0 "
    atPhysAddress[10][1.172.16.1.210] "00 18 BA 51 5B 41 "
    [[email protected] ~]$
    

    Saving command output to a file

    We're delving into areas that go outside the normal scope of this site, but to save the ARP table above to a file in /tmp/S01_ARP.txt, the you'd add > /tmp/S01_ARP.txt to the end of the snmpbulkwalk above...

    [mpen[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq  172.16.1.210 \
          .1.3.6.1.2.1.3.1.1.2 > /tmp/S01_ARP.txt
    [[email protected] ~]$ cat /tmp/S01_ARP.txt
    atPhysAddress[10][1.172.16.1.5] "80 EE 73 2F 0B 40 "
    atPhysAddress[10][1.172.16.1.25] "38 EA A7 6D 2E 8E "
    atPhysAddress[10][1.172.16.1.32] "BC 51 FE 50 16 F8 "
    atPhysAddress[10][1.172.16.1.200] "00 06 53 FE 39 E0 "
    atPhysAddress[10][1.172.16.1.210] "00 18 BA 51 5B 41 "
    [[email protected] ~]$
    

    As you see above, you can use cat in linux to get all output from a text file. NOTE: Some linux distributions (ahem... CentOS) clean out the /tmp directory on a monthly basis. You should use your HOME directory in linux to store the file. I don't remember Ubuntu cleaning out /tmp, but to be safe I'd avoid storing things there.

    Miscellaneous notes about SNMP...

    If you haven't loaded all Cisco's MIBs on your Ubuntu machine, then you should avoid using the -m <mib-name> flags in the snmpbulkwalk commands. Loading MIBs allows you to poll with an OID name, instead of the long dotted number...


    Reference information:

    I am including some show commands from the switch, in case you have questions about the CLI for the SNMP commands above...

    S01#sh ver | i IOS
    Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2)
    S01#
    S01#sh mac address-table dynamic
              Mac Address Table
    -------------------------------------------
    
    Vlan    Mac Address       Type        Ports
    ----    -----------       --------    -----
      10    0006.53fe.39e0    DYNAMIC     Fa0/48
      10    001d.a1cd.5346    DYNAMIC     Fa0/48
      10    0030.1bbc.a7d7    DYNAMIC     Fa0/48
      10    0080.c800.0000    DYNAMIC     Fa0/48
      10    38ea.a76d.2e8e    DYNAMIC     Fa0/48
      10    80ee.732f.0b40    DYNAMIC     Fa0/48
    Total Mac Addresses for this criterion: 6
    S01#
    S01#sh arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  172.16.1.210            -   0018.ba51.5b41  ARPA   Vlan10
    Internet  172.16.1.200            0   0006.53fe.39e0  ARPA   Vlan10
    Internet  172.16.1.32             0   bc51.fe50.16f8  ARPA   Vlan10
    Internet  172.16.1.25             0   38ea.a76d.2e8e  ARPA   Vlan10
    Internet  172.16.1.5              1   80ee.732f.0b40  ARPA   Vlan10
    S01#
    

    the answer was useful, i would like to know the meaning of -OXsq just before the ip adress

    check `man snmpcmd` if you're on a Linux host and have Net-SNMP installed. Otherwise you can find this information here: http://net-snmp.sourceforge.net/docs/man/snmpcmd.html

    @MikePennington: Can you comment on the OIDs ipNetToMediaPhysAddress and ifPhysAddress? Specifically the semantic difference between these tables and atPhysAddress?

    In addition to the above, you can install netDB on that Ubuntu server and get more visibility on the ARP tables of several devices. http://netdbtracking.sourceforge.net/

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM