Using SNMP to retrieve the ARP and mac-address tables from a switch
I would like to get ARP tables from a switch to a syslog-ng server that has been set up on Ubuntu Server 12.04 LTS. I have read about SNMP and I know the server will act as a manager and the switch as an agent. I have details as to where the MIB is contained, and I must use the command
snmpwalk -v2c -c <community> <SwitchIP> .184.108.40.206.220.127.116.11.3.1.2
I want the resulting arp tables to be directed to a my server.
My problem is that I don't know where exactly to run the command, or save the output to a file.
Hi, adding information to a database is off-topic... [su] is a good place to ask if you need help modifying a database. If you don't mind deleting that portion of the question, we can reopen it.
The Arp tables will be generated by the switch, but i want them viewed from the server
What brand and type of switch are you talking about. Availability of ARP tables via SNMP may differ per implementation. Also, is this a layer 3 switch, or are you really interested in ARP on a switch?
There seems to be a little confusion... you are asking about ARP tables, and you're using OID
.18.104.22.168.22.214.171.124.3.1.2; however, that OID actually is for the mac-address table in the switch.
I am assuming you know how to login to your Ubuntu server, and that
NET-SNMPis installed... please let me know if you need pointers for doing this (see this question for hints about loading MIBs in linux). Some of my examples assume you have the MIBs loaded on your server... you just need to remove the
-m <mib-name>option in the commands if you don't have the MIBs loaded locally.
I apologize in advance for the length of this answer... I wish polling with SNMP wasn't as complicated...
Polling the mac-address table:
If you really want the mac-address table from the switch, then remember you have to change the community string you poll with... it should be in the form of
<[email protected]>... each vlan you poll needs a different community.
[[email protected] ~]$ snmpbulkwalk -v 2c -c [email protected] -OXsq 172.16.1.210 \ .126.96.36.199.188.8.131.52.3.1.2 dot1dTpFdbPort[0:6:53:fe:39:e0] 52 dot1dTpFdbPort[0:1d:a1:cd:53:46] 52 dot1dTpFdbPort[0:30:1b:bc:a7:d7] 52 dot1dTpFdbPort[0:80:c8:0:0:0] 52 dot1dTpFdbPort[38:ea:a7:6d:2e:8e] 52 dot1dTpFdbPort[80:ee:73:2f:b:40] 52 [[email protected] ~]$
In the output above, 52 is the value of
dot1dBasePort, which is a number the MIB uses to index the dot1dTp table. To translate that into a normal interface name, you have to map that to an ifName... BRIDGE-MIB does that with dot1dBasePortIfIndex...
[[email protected] ~]$ snmpbulkwalk -v 2c -c [email protected] -m BRIDGE-MIB 172.16.1.210 \ .184.108.40.206.220.127.116.11.4.1.2 BRIDGE-MIB::dot1dBasePortIfIndex.52 = INTEGER: 10048 [[email protected] ~]$ [[email protected] ~]$ snmpget -v 2c -c public 172.16.1.210 ifName.10048 IF-MIB::ifName.10048 = STRING: Fa0/48 [[email protected] ~]$
Thus we know that all the mac-addresses on this switch were learned through FastEthernet 0/48 in vlan-10.
Polling the active Vlans:
[[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq -m CISCO-VTP-MIB 172.16.1.210 \ .18.104.22.168.22.214.171.124.126.96.36.199.1.2 vtpVlanState operational vtpVlanState operational vtpVlanState operational vtpVlanState operational vtpVlanState operational vtpVlanState operational [[email protected] ~]$
Keep in mind that Vlans 1002-1005 are internal Cisco Vlans that you should not poll.
Polling the ARP table
If you really want the ARP table from the switch, then you need to poll atPhysAddress...
[[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq 172.16.1.210 \ .188.8.131.52.184.108.40.206.1.2 atPhysAddress[220.127.116.11.5] "80 EE 73 2F 0B 40 " atPhysAddress[18.104.22.168.25] "38 EA A7 6D 2E 8E " atPhysAddress[22.214.171.124.32] "BC 51 FE 50 16 F8 " atPhysAddress[126.96.36.199.200] "00 06 53 FE 39 E0 " atPhysAddress[188.8.131.52.210] "00 18 BA 51 5B 41 " [[email protected] ~]$
Saving command output to a file
We're delving into areas that go outside the normal scope of this site, but to save the ARP table above to a file in
/tmp/S01_ARP.txt, the you'd add
> /tmp/S01_ARP.txtto the end of the
[mpen[email protected] ~]$ snmpbulkwalk -v 2c -c public -OXsq 172.16.1.210 \ .184.108.40.206.220.127.116.11.1.2 > /tmp/S01_ARP.txt [[email protected] ~]$ cat /tmp/S01_ARP.txt atPhysAddress[18.104.22.168.5] "80 EE 73 2F 0B 40 " atPhysAddress[22.214.171.124.25] "38 EA A7 6D 2E 8E " atPhysAddress[126.96.36.199.32] "BC 51 FE 50 16 F8 " atPhysAddress[188.8.131.52.200] "00 06 53 FE 39 E0 " atPhysAddress[184.108.40.206.210] "00 18 BA 51 5B 41 " [[email protected] ~]$
As you see above, you can use
catin linux to get all output from a text file. NOTE: Some linux distributions (ahem... CentOS) clean out the
/tmpdirectory on a monthly basis. You should use your
HOMEdirectory in linux to store the file. I don't remember Ubuntu cleaning out
/tmp, but to be safe I'd avoid storing things there.
Miscellaneous notes about SNMP...
If you haven't loaded all Cisco's MIBs on your Ubuntu machine, then you should avoid using the
-m <mib-name>flags in the
snmpbulkwalkcommands. Loading MIBs allows you to poll with an OID name, instead of the long dotted number...
I am including some show commands from the switch, in case you have questions about the CLI for the SNMP commands above...
S01#sh ver | i IOS Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2) S01# S01#sh mac address-table dynamic Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 0006.53fe.39e0 DYNAMIC Fa0/48 10 001d.a1cd.5346 DYNAMIC Fa0/48 10 0030.1bbc.a7d7 DYNAMIC Fa0/48 10 0080.c800.0000 DYNAMIC Fa0/48 10 38ea.a76d.2e8e DYNAMIC Fa0/48 10 80ee.732f.0b40 DYNAMIC Fa0/48 Total Mac Addresses for this criterion: 6 S01# S01#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.1.210 - 0018.ba51.5b41 ARPA Vlan10 Internet 172.16.1.200 0 0006.53fe.39e0 ARPA Vlan10 Internet 172.16.1.32 0 bc51.fe50.16f8 ARPA Vlan10 Internet 172.16.1.25 0 38ea.a76d.2e8e ARPA Vlan10 Internet 172.16.1.5 1 80ee.732f.0b40 ARPA Vlan10 S01#
the answer was useful, i would like to know the meaning of -OXsq just before the ip adress
check `man snmpcmd` if you're on a Linux host and have Net-SNMP installed. Otherwise you can find this information here: http://net-snmp.sourceforge.net/docs/man/snmpcmd.html
@MikePennington: Can you comment on the OIDs ipNetToMediaPhysAddress and ifPhysAddress? Specifically the semantic difference between these tables and atPhysAddress?