AANTS - Upgrade to NetWatch to Learn MAC Addresses on MAC-Locked Ports
Describes changes made to NetWatch and catwatch to get information from MAC-locked ports.
BackgroundMark Karls and Carl Karcher reported a problem with catwatch/NetWatch/PortUseAudit not reporting MAC addresses in use on ports that were MAC-locked with "switchport port-security mac-address ..."
ChangesThis necessitated a slight change to the meaning of the "MAC seen date" in NetWatch (i.e. the column named "dt" in the macswitch MySQL table).
In NetWatch or any other tool that uses its database tables, such as PortUseAudit, the MAC "seen" date now means either:
1) for dynamically learned MAC addresses, it is the date/time when the given address was seen as active in the mac-address table. This is what it has meant in the past.
2) for statically "locked" MAC addresses, it is the date/time when the given address was found to be configured statically, and the given interface was up - presumably because one of the locked addresses was using it. The assumption being that it is not a shared port.
Fine DetailsThe problem with catwatch was that the status of those locked MACs in the mac-address table was "mgmt(5)" rather than "learned(3)". This means that they are statically configured in the mac-address learning table, rather than learned dynamically.
This involved a substantial change to catwatch: To get some sort of guarantee that at least one of the locked MAC addresses is actually in use, catwatch now checks the port's interface status. If the port's status is not "up(1)" then catwatch won't record the MAC address even if its in the learning table (such static entries always are.)
For static/locked MAC addresses, it will record them as long as the port is "up(1)". Note that this means that some static/locked MAC addresses will appear in NetWatch even if they might not actually be in use.
Written by Dave Plonka