Why is are our Cisco 3550's dropping MAC addresses?

Discussion in 'Cisco' started by wcrouse, Mar 2, 2004.

  1. wcrouse

    wcrouse Guest

    At the small private school where I work we are trying to use a third
    party solution that authenticates and tracks machines using snmp and
    queries to the switches' MAC table. However, in testing this setup,
    I'm observing that machines seem to come and go randomly from our
    logging. When our consultant examined our switches, he noted that the
    MAC addresses of currently connected and active workstations appeared
    and disappeared as he sequentially queried the MAC table. We though
    that lengthening the period of inactivity on the switch before the
    table was scavenged was the problem, but subsequent analysis shows no
    change. Workstations are aging out of the table (or, at least not
    displaying on a 'show') in five minutes or less.
    Other than flashing to an older revision of the Cisco software, my
    consultant isn't sure what to do. Any ideas? Why are my switches
    removing, or at least not showing to snmp queries, machines that are
    on line? Is this a known issue? Thanks.
    wcrouse, Mar 2, 2004
    1. Advertisements

  2. wcrouse

    AnyBody43 Guest

    "Workstations are aging out of the table (or, at least not
    displaying on a 'show') in five minutes or less."

    Yes they age out _by design_. See 802.1d.

    What you could do is to refresh the table by say pinging each
    machine, however if there is a Spanning Tree "Topology Change"
    then the ageing time is reduced to 15 seconds (fast ageing).

    At least some of these timers are configurable however my view is
    that your purpose is not a good reason to change them from the
    tried and tested defaults.

    Maybe you need a consultant?

    I would consider the following:-
    Do a ping scan then query the relevant arp tables to get the
    end station MAC addresses, then if required use the switch tables
    to find the ports that the MAC is conneced to.

    You should be aware that MAC addresses are not cast in stone.
    They can usually (although I confess I have not tried for a
    few years) be changed in software on a temporary (or even
    permanent) basis. This would in principle allow someone to
    say remove one machine while leading your records to believe that
    it was still there.
    AnyBody43, Mar 3, 2004
    1. Advertisements

  3. It's as easy as creating a NetworkAddress registry entry in NT/W2k/XP.
    Joop van der Velden, Mar 3, 2004
  4. wcrouse

    joe Guest

    Configure port security. This in effect statically cam's
    the switch. Each mac will be permanent. Great for situations
    where you don't move pc's around much.

    You can even use "sticky-learning" to auto grab the first mac
    address plugged in. Any other mac learned on that port will
    cause a security violation to occur, the switch can the be
    configured to take several actions if a violation occurs.

    3550-1(config)#int f0/23
    3550-1(config-if)#switchport mode access
    3550-1(config-if)#switchport port-security mac-address sticky
    3550-1(config-if)#switchport port-security maximum 1
    3550-1(config-if)#switchport port-security violation shutdown
    joe, Mar 4, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.