[c-nsp] SNMP descrepancy
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jun 24 03:32:45 EDT 2010
On 06/23/2010 07:34 PM, Drew Weaver wrote:
> The actual machine for:
>
> Internet 10.1.164.42 146 0030.48bf.3230 ARPA Vlan643
>
> Was down at the time (like completely down...) and I wouldn't have
> expected to even see this in the sh ip arp vlan 643 output at all,
Well, from your data above, the arp entry age is only 146 seconds; by
default the ARP entry will live for hours. They're not tied to the MAC
table entry at all.
> but since it did show up in there I am wondering why it didn't show
> up in the mac-address-table and more importantly is there a way to
You say the host was down; is it directly attached to this switch? If
so, the MAC table for its port would be cleared on link-down.
Other than link-down events, the only other thing I can think of that
clears MAC table entries are STP TCNs (clearing the entries on the ports
concerned).
If none of those happened then you're right, there should be a MAC table
entry, with an ARP entry only 146 seconds old (146 < 300)
> query the 'arp table' for just vlan 643 via SNMP that anyone is aware
ipNetToMedia is indexed by ifIndex.ip.ip.ip.ip, so you just need to know
the ifIndex for vlan 643s routed portion; easiest way to find that is to:
ifindex=`snmpget -O qv router
CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB::cviRoutedVlanIfIndex.$vlan.1`
...then:
snmpwalk ipNetToMediaPhysAddress.$ifindex
> of? I also noticed this same thing occurs sometimes when Windows
> firewall is enabled on Windows 2008 machines. I have to disable the
> firewall and ping the machine before it will show up in those SNMP
> .1.3.6.1.2.1.17.4.3.1.1 even though the host is actually up and
> running.
Well, on IOS ARP entries live for much longer (4 hours?) than MAC table
entries (300 seconds) by default, so the MAC entry will expire after 5
minutes of inactivity. When you ping a host, the MAC is still resolvable
via the ARP table, but it will be flooded out of all ports as an
"unknown unicast". Or 4 hours down the line, as the ARP entry expires,
it'll broadcast and ARP request.
As a previous poster has said; monitoring MAC tables (and ARP tables,
really) needs to be done by taking continuous snapshots and logging them
to a database. Netdisco is a good (free, open source) choice for this.
More information about the cisco-nsp
mailing list