Cisco MAC Address Table

A switch maintains an dynamically built address table using the source MAC addresses of received frames. The switch takes the received frame and it’s incoming MAC address of the sending device with the LAN port it was received on and puts that in the address table.

If the switch receives a frame and sees that the destination MAC address is not listed in the address table it will flood that frame to all LAN ports of the same VLAN. When the destination replies, the switch adds that source MAC address to the table.

MAC entries are retained on switch reboot. To maintain a clean table, an aging timer is used to remove inactive MAC addresses from the table. This aging timer is configured in seconds.

Aside from dynamically learning MAC addresses, you can also configure Static MAC addresses. The syntax for configuring a static MAC address is:

SW1(config)#mac address-table static mac_address vlan vlan-id {drop | interface {type slot/port} | port-channel number} [auto-learn]

SW1#conf t
SW1(config)#mac address-table static aaaa.bbbb.cccc vlan 10 interface gigabitethernet 1/0/4

To delete a static MAC address add the no keyword in front of the command above.

Configure the Aging Timer

Configure the aging timer for all MAC addresses on the switch:

SW1#conf t
SW1(config)#mac address-table aging-time seconds [vlan vlan-id]

The time range is from 10 – 1000000. Configuring an aging time of 0 disables aging.

Clearing Dynamic Addresses

This command clears all dynamic MAC entries from the MAC address table:

SW1#clear mac address-table dynamic

You can be more granular with clearing addresses. Here is the syntax:

SW1#clear mac address-table dynamic {address mac_address} {interface [type slot/port | port-channel number} {vlan vlan_id}

Verifying the MAC Address Table

Use these show commands:

show mac address-table to display the contents of the MAC address table.

SW1#show mac address-table
 Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
 All 000d.bdd3.4e80 STATIC CPU
 All 000d.bdd3.4e81 STATIC CPU
 All 000d.bdd3.4e82 STATIC CPU
 10 0090.7f9b.0a35 DYNAMIC Po10
 10 0090.7f9b.0a36 DYNAMIC Po10
Total Mac Addresses for this criterion: 5

show mac address-table aging-time to display the aging time for all VLANs on the switch.

SW1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
 60 100



Installing Snorby for Snort

We’ve gone through installing Snort and installing PulledPork and Barnyard2. It’s not much help if there isn’t an easy way to look at the alerts and events being triggered in Snort. Snorby integrates with Snort by providing metrics and reporting. The installation is a ruby on rails application. If configured properly you can now classify events to preconfigured or custom classifications. You can also do so with a simple hotkey.

Even for a small team who doesn’t have a dedicated security analyst you can schedule daily reports to be emailed out with a summary of events. To get a glimpse of what it’s capable you can take a look at the demo at Username is and the password is snorby.

Installing Prerequisites

Before installing Snorby you will need Ruby, ImageMagick, Rails, and Wkhtmltopdf.

yum -y groupinstall "Development Tools"
 yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip

Download and Compile ImageMagick

cd ~/tmp
tar -xvf ImageMagick-6.8.9-6.tar.gz
cd ImageMagick-6.8.9-6
make install
ldconfig /usr/local/lib

Download and Install Wkhtmltopdf

Wkhtmltopdf is used by Snorby to create reports. First download some prerequisites for Wkhtmltopdf:

yum -y install xz urw-fonts libXext openssl-devel libXrender

Install wkhtmltopdf:

cd ~/tmp
rpm -Uvh wkhtmltox-0.12.1_linux-centos6-amd64.rpm

You can verify the installation by running this command:

wkhtmltopdf google.pdf

Install Ruby

First the prerequisites:

yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel
yum -y install libyaml-devel

If you have problems finding libyaml-devel using yum, run these commands:

rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

I’ll be installing Ruby with RVM:

curl -L | bash -s stable

Set up the RVM environment:

source /etc/profile.d/

Install Ruby version 1.9.3 which is required for Snorby:

rvm install 1.9.3
rvm use 1.9.3 --default

Install RubyGems:

rvm rubygems current

Install Rails:

gem install rails

Install Snorby

yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O --no-check-certificate
mv snorby-master/* /var/www/html/snorby

Continue Reading…

New Cisco CCNP Routing and Switching Exam

It was only a matter of time until Cisco changed the CCNP Routing and Switching certification. With the CCNA and CCIE revised, the CCNP was a matter of “when”. The last day to take the CCNPv1 exams will be on January 29th, 2015.

Do you already have some CCNPv1 exams under your belt? You can mix and match and still obtain the CCNP certification. Cisco published this CCNP Exam Combination Tool which helps you determine which combination of exams are required to complete your CCNP.

The CCNP exam changes, in my opinion, are good. The objectives are clear and it appears they have removed those “Planning..” objectives. With the new CCNPv2 changes we get concrete objectives. You know exactly what you’re being tested on. The type of objectives you see in version 2 are “Configure and Verify”, “Troubleshoot”, or “Explain/Describe”.

It’s possible they decided to move the version 1 objectives of “Implementation Plan” and “Verification Plan” to the Design track.

Just a few of the changes that stuck out to me:

  • Inclusion of VRF lite in ROUTE.
  • Describe DMVPN and EVN in ROUTE.
  • Configuring NetFlow in ROUTE.
  • SDM templates in SWITCH.
  • Explain what Frame Relay is (thought this could have been removed.)


Continue Reading…