[c-nsp] SNMP descrepancy

Phil Mayers p.mayers at imperial.ac.uk
Thu Jun 24 03:32:45 EDT 2010 

On 06/23/2010 07:34 PM, Drew Weaver wrote:
> The actual machine for:
>
> Internet  10.1.164.42        146   0030.48bf.3230  ARPA   Vlan643
>
> Was down at the time (like completely down...) and I wouldn't have
> expected to even see this in the sh ip arp vlan 643 output at all,

Well, from your data above, the arp entry age is only 146 seconds; by 
default the ARP entry will live for hours. They're not tied to the MAC 
table entry at all.

> but since it did show up in there I am wondering why it didn't show
> up in the mac-address-table and more importantly is there a way to

You say the host was down; is it directly attached to this switch? If 
so, the MAC table for its port would be cleared on link-down.

Other than link-down events, the only other thing I can think of that 
clears MAC table entries are STP TCNs (clearing the entries on the ports 
concerned).

If none of those happened then you're right, there should be a MAC table 
entry, with an ARP entry only 146 seconds old (146 < 300)

> query the 'arp table' for just vlan 643 via SNMP that anyone is aware

ipNetToMedia is indexed by ifIndex.ip.ip.ip.ip, so you just need to know 
the ifIndex for vlan 643s routed portion; easiest way to find that is to:

ifindex=`snmpget -O qv router 
CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB::cviRoutedVlanIfIndex.$vlan.1`

...then:

snmpwalk ipNetToMediaPhysAddress.$ifindex

> of? I also noticed this same thing occurs sometimes when Windows
> firewall is enabled on Windows 2008 machines. I have to disable the
> firewall and ping the machine before it will show up in those SNMP
> .1.3.6.1.2.1.17.4.3.1.1 even though the host is actually up and
> running.

Well, on IOS ARP entries live for much longer (4 hours?) than MAC table 
entries (300 seconds) by default, so the MAC entry will expire after 5 
minutes of inactivity. When you ping a host, the MAC is still resolvable 
via the ARP table, but it will be flooded out of all ports as an 
"unknown unicast". Or 4 hours down the line, as the ARP entry expires, 
it'll broadcast and ARP request.

As a previous poster has said; monitoring MAC tables (and ARP tables, 
really) needs to be done by taking continuous snapshots and logging them 
to a database. Netdisco is a good (free, open source) choice for this.

More information about the cisco-nsp mailing list