Using SNMP to retrieve the ARP and mac-address tables from a switch

32

11

I would like to get ARP tables from a switch to a syslog-ng server that has been set up on Ubuntu Server 12.04 LTS. I have read about SNMP and I know the server will act as a manager and the switch as an agent. I have details as to where the MIB is contained, and I must use the command

snmpwalk -v2c -c <community> <SwitchIP> .1.3.6.1.2.1.17.4.3.1.2

I want the resulting arp tables to be directed to a my server.

My problem is that I don't know where exactly to run the command, or save the output to a file.

sosytee

Posted 2013-08-21T07:55:46.070

Reputation: 375

Hi, adding information to a database is off-topic... [su] is a good place to ask if you need help modifying a database. If you don't mind deleting that portion of the question, we can reopen it. – Mike Pennington – 2013-08-21T08:25:31.180

I have modified my question – sosytee – 2013-08-21T08:31:52.877

What do you mean by "place the ARP tables into the server"? – Mike Pennington – 2013-08-21T08:34:28.360

The Arp tables will be generated by the switch, but i want them viewed from the server – sosytee – 2013-08-21T08:37:52.483

What if we told you how to put them in a text file... is that ok? – Mike Pennington – 2013-08-21T08:39:18.193

Yes its acceptable – sosytee – 2013-08-21T08:42:08.940

What brand and type of switch are you talking about. Availability of ARP tables via SNMP may differ per implementation. Also, is this a layer 3 switch, or are you really interested in ARP on a switch? – Teun Vink – 2013-08-21T09:01:51.593

its a layer 3 switch cisco cat2960 – sosytee – 2013-08-21T09:20:41.010

Answers

35

There seems to be a little confusion... you are asking about ARP tables, and you're using OID .1.3.6.1.2.1.17.4.3.1.2; however, that OID actually is for the mac-address table in the switch.

I am assuming you know how to login to your Ubuntu server, and that NET-SNMP is installed... please let me know if you need pointers for doing this (see this question for hints about loading MIBs in linux). Some of my examples assume you have the MIBs loaded on your server... you just need to remove the -m <mib-name> option in the commands if you don't have the MIBs loaded locally.

I apologize in advance for the length of this answer... I wish polling with SNMP wasn't as complicated...

Polling the mac-address table:

If you really want the mac-address table from the switch, then remember you have to change the community string you poll with... it should be in the form of <commity@vlan>... each vlan you poll needs a different community.

In my example below, the switch at 172.16.1.210 is configured with snmp-server community public ro, and I'm polling the mac-address table in vlan-10 with dot1dTpFdbPort from BRIDGE-MIB.

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public@10 -OXsq 172.16.1.210 \
  .1.3.6.1.2.1.17.4.3.1.2
dot1dTpFdbPort[0:6:53:fe:39:e0] 52
dot1dTpFdbPort[0:1d:a1:cd:53:46] 52
dot1dTpFdbPort[0:30:1b:bc:a7:d7] 52
dot1dTpFdbPort[0:80:c8:0:0:0] 52
dot1dTpFdbPort[38:ea:a7:6d:2e:8e] 52
dot1dTpFdbPort[80:ee:73:2f:b:40] 52
[mpenning@tsunami ~]$

In the output above, 52 is the value of dot1dBasePort, which is a number the MIB uses to index the dot1dTp table. To translate that into a normal interface name, you have to map that to an ifName... BRIDGE-MIB does that with dot1dBasePortIfIndex...

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public@10 -m BRIDGE-MIB 172.16.1.210 \
  .1.3.6.1.2.1.17.1.4.1.2
BRIDGE-MIB::dot1dBasePortIfIndex.52 = INTEGER: 10048
[mpenning@tsunami ~]$
[mpenning@tsunami ~]$ snmpget -v 2c -c public 172.16.1.210 ifName.10048
IF-MIB::ifName.10048 = STRING: Fa0/48
[mpenning@tsunami ~]$

Thus we know that all the mac-addresses on this switch were learned through FastEthernet 0/48 in vlan-10.

Polling the active Vlans:

If you're not sure which vlans to poll on a switch, you can get that information from .1.3.6.1.4.1.9.9.46.1.3.1.1.2, which is vtpVlanState in the CISCO-VTP-MIB...

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public -OXsq -m CISCO-VTP-MIB 172.16.1.210 \
   .1.3.6.1.4.1.9.9.46.1.3.1.1.2
vtpVlanState[1][1] operational
vtpVlanState[1][10] operational
vtpVlanState[1][1002] operational
vtpVlanState[1][1003] operational
vtpVlanState[1][1004] operational
vtpVlanState[1][1005] operational
[mpenning@tsunami ~]$

Keep in mind that Vlans 1002-1005 are internal Cisco Vlans that you should not poll.

Polling the ARP table

If you really want the ARP table from the switch, then you need to poll atPhysAddress...

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public -OXsq  172.16.1.210 \
  .1.3.6.1.2.1.3.1.1.2
atPhysAddress[10][1.172.16.1.5] "80 EE 73 2F 0B 40 "
atPhysAddress[10][1.172.16.1.25] "38 EA A7 6D 2E 8E "
atPhysAddress[10][1.172.16.1.32] "BC 51 FE 50 16 F8 "
atPhysAddress[10][1.172.16.1.200] "00 06 53 FE 39 E0 "
atPhysAddress[10][1.172.16.1.210] "00 18 BA 51 5B 41 "
[mpenning@tsunami ~]$

Saving command output to a file

We're delving into areas that go outside the normal scope of this site, but to save the ARP table above to a file in /tmp/S01_ARP.txt, the you'd add > /tmp/S01_ARP.txt to the end of the snmpbulkwalk above...

[mpenning@tsunami ~]$ snmpbulkwalk -v 2c -c public -OXsq  172.16.1.210 \
      .1.3.6.1.2.1.3.1.1.2 > /tmp/S01_ARP.txt
[mpenning@tsunami ~]$ cat /tmp/S01_ARP.txt
atPhysAddress[10][1.172.16.1.5] "80 EE 73 2F 0B 40 "
atPhysAddress[10][1.172.16.1.25] "38 EA A7 6D 2E 8E "
atPhysAddress[10][1.172.16.1.32] "BC 51 FE 50 16 F8 "
atPhysAddress[10][1.172.16.1.200] "00 06 53 FE 39 E0 "
atPhysAddress[10][1.172.16.1.210] "00 18 BA 51 5B 41 "
[mpenning@tsunami ~]$

As you see above, you can use cat in linux to get all output from a text file. NOTE: Some linux distributions (ahem... CentOS) clean out the /tmp directory on a monthly basis. You should use your HOME directory in linux to store the file. I don't remember Ubuntu cleaning out /tmp, but to be safe I'd avoid storing things there.

Miscellaneous notes about SNMP...

If you haven't loaded all Cisco's MIBs on your Ubuntu machine, then you should avoid using the -m <mib-name> flags in the snmpbulkwalk commands. Loading MIBs allows you to poll with an OID name, instead of the long dotted number...


Reference information:

I am including some show commands from the switch, in case you have questions about the CLI for the SNMP commands above...

S01#sh ver | i IOS
Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2)
S01#
S01#sh mac address-table dynamic
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0006.53fe.39e0    DYNAMIC     Fa0/48
  10    001d.a1cd.5346    DYNAMIC     Fa0/48
  10    0030.1bbc.a7d7    DYNAMIC     Fa0/48
  10    0080.c800.0000    DYNAMIC     Fa0/48
  10    38ea.a76d.2e8e    DYNAMIC     Fa0/48
  10    80ee.732f.0b40    DYNAMIC     Fa0/48
Total Mac Addresses for this criterion: 6
S01#
S01#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.210            -   0018.ba51.5b41  ARPA   Vlan10
Internet  172.16.1.200            0   0006.53fe.39e0  ARPA   Vlan10
Internet  172.16.1.32             0   bc51.fe50.16f8  ARPA   Vlan10
Internet  172.16.1.25             0   38ea.a76d.2e8e  ARPA   Vlan10
Internet  172.16.1.5              1   80ee.732f.0b40  ARPA   Vlan10
S01#

Mike Pennington

Posted 2013-08-21T07:55:46.070

Reputation: 26 089

@MikePennington: Can you comment on the OIDs ipNetToMediaPhysAddress and ifPhysAddress? Specifically the semantic difference between these tables and atPhysAddress? – mormegil – 2014-11-21T20:48:14.527

the answer was useful, i would like to know the meaning of -OXsq just before the ip adress – sosytee – 2013-08-21T12:16:58.110

1

check man snmpcmd if you're on a Linux host and have Net-SNMP installed. Otherwise you can find this information here: http://net-snmp.sourceforge.net/docs/man/snmpcmd.html

– John Jensen – 2013-08-21T13:00:11.740

In addition to the above, you can install netDB on that Ubuntu server and get more visibility on the ARP tables of several devices. http://netdbtracking.sourceforge.net/

– Kunal – 2015-02-16T21:57:04.670