Description
This article describes the MAC Notification traps trigger under the following conditions:
Add - Device generates traffic for the first time
Remove - MAC is removed from the address table. The time it takes for this to occur depends upon how the device is connected.
- Directly connected devices: MAC entry is removed immediately
- Devices behind an IP Phone, non-managed switch or hub: MAC entry must age out of the switch's MAC address table. This is based on the age time configured within the switch (typically minutes).
Change - Device whose MAC is already learned on a port moves and connects to another port and generates traffic
Events logged in NAC can be used to verify whether or not MAC Notification traps are being processed.
Note: FortiAPs will not generate MAC Learned or Removed events. They are handled differently in code when it comes to syslog notifications.
Scope
Version: 8.x, 9.x
Solution
Enable Events
Version 8.x: Navigate to Logs > Event Management.
Version 9.x: Navigate to Logs > Events & Alarms > Management.
Enable MAC Learned and MAC Removed events. Right-click on each event and select Log Internal.
Once enabled, any MAC Notification traps processed will generate an event.
View Events
Version 8.x: Navigate to Logs > Events.
Version 9.x: Navigate to Logs > Events & Alarms > Events.
1. From Add Filter drop-down menu, select Event.
2. From the Event drop-down menu, select either MAC Learned or MAC Removed.
3. Set any additional desired filters (such as date and time), then click Update.
Disable Events
Once troubleshooting is complete, disable the event:
Version 8.x: Navigate to Logs > Event Management
Version 9.x: Navigate to Logs > Events & Alarms > Management
Disable MAC Learned and MAC Removed events. Right-click on each event and select Disable.
Troubleshooting steps if events are not generating:
1) Verify the sending switch is configured properly. Traps should be sent to the eth0 IP address of the appliance. For details see Configuring Traps for MAC Notification in the Document Library.
2) Run a packet capture to confirm whether or not the traps are being received by the appliance. The tcpdump tool in the appliance CLI can be used to run a packet capture. Alternatively, run a packet capture on the switch port the appliance eth0 interface connects.
TCPDUMP method:
a. Login to appliance CLI as root. Typ
cd /bsc/logs
b. Start a tcpdump to verify traps are received from switch
tcpdump -nni any host <switch ip> and port 162
c. Connect the device to switch
d. Wait 10 seconds
e. Disconnect device from switch
f. Ctrl_C to stop tcpdump
3) If traps are received but are not getting processed
Devices configured for Cisco SNMPv3: Verify context values for every VLAN created in the switch are defined. For tips on configuring and validating Cisco SNMPv3, refer to the related KB article below.
4) Contact Support for further troubleshooting assistance. Before opening the ticket, get a full packet capture of the traps sent by the device:
TCPDUMP method:
a. Login to appliance CLI as root. Type
cd /bsc/logs
b. Start packet capture and create a .cap file.
tcpdump -s 0 -w MACtrap.cap -i any '(ip host <device ip> and port 162)'
Note: once <ENTER> is hit, there will not be any output to the screen.
c. Connect device to switch
d. Wait 10 seconds
e. Disconnect device from switch
f. Ctrl_C to stop tcpdump
g. The .cap file can be downloaded from the appliance using WinSCP or a similar program. The trace can be viewed using Wireshark.
Open a support ticket and include the following:
- Problem description
- Screen capture of the device's Element tab
- Version 8.x: Network Devices > Topology
- Version 9.x: Network > Inventory
- Screen capture Engine Version
- Version 8.x: Help > About
- Version 9.x: Click on username in the upper right corner
- Packet capture file
Related Articles
Technical Tip: Configure and validate Cisco SNMPv3
Technical Tip: Confirming Link State traps via Administration UI
