Show mac-address-table not working on ASA5512
Hi,
I'm unable to excute "show mac-address-table" on an ASA5512, running 9.1(1). The output is:
asa-test# show mac-address-table
^
ERROR: % Invalid input detected at '^' marker.
Has the command changed for this model / version? It works fine on ASA5505's running 8.4(5).
Thanks for your time,
John
hi john,
the show mac-address-table command should be valid.
check if you've got MAC learning enabled on the ASA interface using show mac-learn command.
edit: could you post show firewall? the above command works on transparent firewall only.
Similar Messages
-
CNA 5.5 and show mac address-table
When trying to Monitor/Search for MAC address in C2960 network I got an error reply that a CLI command is not supported. Analyzing network traffic shows that CNA 5.5 is issueing 'show mac-address-table' command but the latest Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE does not support 'show mac-address-table' anymore but does support 'show mac address-table' command. How can I change the command for showing mac address tables in CNA 5.5?
M.hi john,
the show mac-address-table command should be valid.
check if you've got MAC learning enabled on the ASA interface using show mac-learn command.
edit: could you post show firewall? the above command works on transparent firewall only. -
Given the command show mac-address-table from the privilege exec mode in a cat 2950, the output shows some (i think 4) mac-address tha are system. Do u have any idea what are these mac?
Hi Dimitris,
Thanks for writing in. I tried the command on my switch and got the following: Do you see a similar output and is this what you are referring to?
2950#sh mac-address-table
Mac Address Table
Vlan Mac Address Type Ports
All 0009.7c70.f9c0 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
0100.0ccc.cccc is used for CDP/VTP/DTP/PAgP/UDLD
0100.0ccc.cccd is used for PVST+
0100.0cdd.dddd seems to be related to multicast, however need to confirm on this.
0009.7c70.f9c0 is the mac address for my management vlan interface.
2950#sh int vlan 1
Vlan1 is administratively down, line protocol is down Hardware is CPU Interface, address is 0009.7c70.f9c0 (bia 0009.7c70.f9c0)
Hope this helps.
regards
-Alok -
Airport Express WiFi network MAC address filtering not working
I have an Airport Express WiFi network which I bought and installed new in 2011. Initially I enabled MAC address access control and populated a list. It was working perfectly, I know, because a niece visiting tried to connect her iPhone and could not until I added its MAC address to the allowed list. Now however, anyone can connect without being added to the list. I think I read somewhere that a recent firmware update permanently disabled MAC filtering in Airport Express, even when it was previously working? Can anyone enlighten me about what's going on here?
In a sense those are/were/should operate as two separate functions, which they did before recently.
They do operate as two separate functions.....but it all depends on how you have the default rule setup in Timed Access.
If the default rule in Timed Access is set to No Access.......then a wireless device cannot connect....even it has the password for the network.....unless it has been setup on the list of allowed devices in Timed Access.
I have checked this 3 times this evening to verify. It works as it always has, and as expected.
If the default rule in Timed Access is set to Unlimited, then any device can connect to the network if it has the password. Devices that are listed or specified in Timed Access will be allowed to connect at the specific times that have been set up for each device.
So, if you want to use the more traditional MAC Access Control settings, the default rule has to be set to No Access and then you must set up a rule for each device that you want to allow to connect to the network. Only devices on the Timed Access list will be allowed to connect to the network. Other devices will not be able to connect to the network....even if they have the correct password.
If a recent firmware update has changed things from what they have always been.....then I am not affected....and I should be if I am using the same firmware as others. -
Show Mac Address Table in ASR9k running XR
I'm trying to find a Mac Address in the ASR9k table. We have a server with multiple mac addresses and we need to know what MAC is being learned by what interface.
Thank you,Use the command
show l2vpn forwarding bridge-domain <group_number>:<domain_name> mac-address location 0/x/CPU0
or
show l2vpn forwarding bridge-domain mac-address location 0/x/CPU0 -
CSCui55504 - show Mac address table from RP gives an error msg and40;but from SP works )
Hello Cisco,
Is there any updates or ETA regarding this bug, as our production 6500 core switch is experiencing this issue and viewing mac-table is a critical activity we perform everyday to troubleshoot client connections.I'm having this same issue. I also have this line in my log, which is curious:
12/14/14 7:13:07.822 PM netbiosd[16766]: Attempt to use XPC with a MachService that has HideUntilCheckIn set. This will result in unpredictable behavior: com.apple.smbd
Is this related to the problem? What does it mean?
My 2010 27" iMac running Yosemite won't wake up from sleep. -
Mac address table corruption?
We are running Cisco 4500 chassis at the access layer, and have been for a few years without issue. Recently we started to experience issues where a mac address will just randomly "jump" to another port. User will call us and say their computer is not working. We will locate the mac, and its showing on the wrong port. We shut that port, do a no shut, and the mac jumps back to the correct port. In the example below, the mac address jumps to port 3/2, but is physically connected to 2/12.
!--issue before shut/no shut
mdf#show mac address-table | inc 9ebf
236 782b.cb8c.9ebf static ip,ipx,assigned,other GigabitEthernet3/2
!--port security knows the correct info however
mdf#show ip dhcp snooping binding | inc 9E:BF
78:2B:CB:8C:9E:BF xxx.xxx.236.193 76145 dhcp-snooping 236 GigabitEthernet2/12
mdf#show mac address-table int gi2/12
Unicast Entries
vlan mac address type protocols port
---------+---------------+--------+---------------------+-------------------------
3908 20bb.c021.ae58 static ip,ipx,assigned,other GigabitEthernet2/12 !--ip phone
mdf#show mac address-table int gi3/2
Unicast Entries
vlan mac address type protocols port
---------+---------------+--------+---------------------+-------------------------
236 1803.7339.d93d static ip,ipx,assigned,other GigabitEthernet3/2
236 782b.cb8c.9ebf static ip,ipx,assigned,other GigabitEthernet3/2 !--mac in question
236 782b.cb8c.c366 static ip,ipx,assigned,other GigabitEthernet3/2
3908 b414.89a2.2ae0 static ip,ipx,assigned,other GigabitEthernet3/2
!--fixing issue
mdf(config)#int gi3/2
mdf(config-if)#shut
!-- issue resolved
mdf#show mac address-table | inc 9ebf
236 782b.cb8c.9ebf static ip,ipx,assigned,other GigabitEthernet2/12
Switch is running cat4500e-entservicesk9-mz.151-2.SG2.bin , but also happened on cat4500e-entservicesk9-mz.151-2.SG4.bin and cat4500e-entservicesk9-mz.150-2.SG4.bin. Other switches have also had this issue occur.Looks to be me like a bug.
could you please provide me some more details on this:
1- How often this issue is occurring?
2- Is this occurring to specific ports or specific laptops which are connecting to this ports or is it irrespective of devices?
3- Is there any possibilities that you try rebooting one of the switch if the issue is very often? (I know this is not a feasible solution , I know it is some issue iwth the firmware but in case to avoid high impact you can reboot the switch and update me?
4- Provide me with the logs from the switch?
5- I will do the bug scrub and let you know.
HTH -
6509E with Sup720 - Show mac address
I have seen very strange behavior. The following two commands show different outputs...
core2#sho mac address-table dynamic | in cc04
7 0009.0fbb.cc04 dynamic Yes 150 Po10
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
Po10 is etherchannel to core1. The MAC address is on the core2 and should never be learned on core1. Core1 doesn't learn this MAC address at all.
The commands are run at the same time. I repeated many times and it is the same... Any idea why?
Thanks!
DifanHi Jon,
Correct, I am not using VSS. However it is not standard set up. The vlan 7 is extended to many other switches. The root is actually not core1 or core2. It also passes some provider to different location as well. However like you said, all the correct ports are blocked. Please trust me on this.. If there is a loop, we will have much more serious problem... At least our CPU will hike and link will congested, right?
I know your concern that the same packet could be somehow loopped back through core1, which makes core2 to learn the MAC on the port-channel interface to core1. However when this happens, core1 doesn't learn the MAC anywhere and on core2 some command show the MAC but not the other command...
Also something interesting, even that MAC in the command will eventually disappear. Please note the aging time. The aging time configured on the vlan is 480 seconds. At last the MAC address is pointing to another interface like G1/1. That interface doesn't even have vlan 7 allowed on the trunk link.
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
core2#
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 285 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 290 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 300 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 305 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 315 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 320 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 320 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 330 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 335 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 340 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 375 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 405 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 425 Po10
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 465 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 480 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
7 0009.0fbb.cc04 dynamic Yes 480 Gi1/1
core2#show mac address-table | in 0009.0fbb.cc04
core2#show mac address-table | in 0009.0fbb.cc04
core2#sho mac address-table address 0009.0fbb.cc04
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
No entries present.
core2#sh int g1/1 trunk
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/1 64,72,156,214-216,300,600
Port Vlans allowed and active in management domain
Gi1/1 64,72,156,214-216,300,600
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 64,72,156,214-216,300,600
Is it a bug?
Thanks! -
Can't clear mac address table from interface
hello all.
I'm facing a problem, and i've also tried to workaround but not sucessfully.
I've got a polycom phone on the swich. When I connect a laptop on that port, the mac address is learned by the switch and keep the mac address even if I disconnect the ethernet cable from that port and if I try to connect the same laptop on other port on the same switch I've got errdisable error in the last connected port. Although I was figuring out what's wrong and seems that the mac address is kept for some reason in the first port.
sw02#show mac address-table interface f0/19
Mac Address Table
Vlan Mac Address Type Ports
60 3c07.5417.9069 STATIC Fa0/19
80 0004.f21e.afa7 STATIC Fa0/19
this is a 2960, Version 12.2(44r)SE4
with a Polycom SoundPoint IP 330 connected on vlan 80
I was searching to clear the mac address table on that interface but the IOS version didn't give me the static option
sw02#clear mac address-table ?
dynamic dynamic entry type
move move keyword
notification Clear MAC notification Global Counters
As there's no dynamic entries on that interface the mac addresses remain on the f0/19 interface.
I've tried with other switches and with other laptops and is the same errdisable status.
sw02#show run int f0/19
interface FastEthernet0/19
description VoIP
switchport access vlan 60
switchport mode access
switchport nonegotiate
switchport voice vlan 80
switchport port-security maximum 5
switchport port-security
no snmp trap link-status
ip dhcp snooping limit rate 100
end
any thought?the mac addresses are not manually configured.
yes, that's my point. when I disconnect the ethernet cable the mac addresses are not flushed from the mac table.
Although I don't understand why the mac addresses are kept in the interface, if I force the interface aging time to 1 min, the problem don't occur anymore.
I was reviewing the switch config and I've got ports with aging time 0 (that learn and flush the mac addresses dynamically) and I've got ports with aging time 1 (that learn and flush the mac addresses at the end of 60 seconds)
The problem is solved although I need to investigate this issue in other switch models and with other voip phones.
Tks Jon and Julio -
Primary N7k cannot query MAC address table
I try:
show mac address-table
show mac address-table <anything else>
The command just hangs on:
#sh mac address-table
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports
------------+-----------------------+-------------+---------+-----------+--------+------------------
The secondary N7k does not have this issue.
RickDo you have a redundant/backup supervisor engine in the N7K?
If so, try to failover to it - I have had instances where the MAC address for a specific host has become "stuck" in one supervisor engine, and the only solution was to failover to the second engine and restart the first.
If you don't have a redundant engine, you may have to restart your supervisor engine with the "reload module x" command, or by simply restarting the switch. Note that if you've only got one supervisor module and you reload it, you will lose traffic while it reboots.
Cheers -
What am i missing?
pixfirewall# show mac-address-table
^
ERROR: % Invalid input detected at '^' marker.
[EDIT: karat is under the A in mac ]
pixfirewall# sh ver
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"
pixfirewall up 175 days 11 hours
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 000d.28f9.62a5, irq 10
1: Ext: Ethernet1 : address is 000d.28f9.62a6, irq 11
2: Ext: Ethernet2 : address is 000d.8810.a620, irq 11
3: Ext: Ethernet3 : address is 000d.8810.a621, irq 10
4: Ext: Ethernet4 : address is 000d.8810.a622, irq 9
5: Ext: Ethernet5 : address is 000d.8810.a623, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has a Restricted (R) license.
Serial Number: 807234146
Running Activation Key: 0x6ab205ba 0x986d4239 0xf56523af 0x76f3d58b
Configuration last modified by enable_15 at 12:58:08.130 EDT Thu May 16 2013
pixfirewall# show mac-address-table
^
ERROR: % Invalid input detected at '^' marker.Hi,
Command Modes The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Privileged EXEC
Source:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1448364
- Jouni -
SG-500-28P How to view mac address table?
The standare Cisco IOS command is show mac-address-table. This command isn't available on this switch.
FW v1.3.0.62
Thanks.Show mac address-table
-
Maximum MAC address table size
Hello guys.
what is the maximum MAC address table for the Cisco 3750X series switches?Scalability Numbers
MAC, routing, security, and QoS scalability numbers depend on the type template used in the switch. Routing template is not supported in the LAN Base feature set. Table 10 shows Cisco Catalyst 3750-X and 3560-X Series Switch scalability numbers.
Cisco Catalyst 3750-X and 3560-X Series Switch Scalability Numbers
Access
Default
Routing
VLAN
Unicast MAC addresses
4K
6K
3K
12K
IGMP groups and multicast routes
1K
1K
1K
1K
Unicast routes
6K
8K
11K
0
Directly connected hosts
4K
6K
3K
0
Indirect routes
2K
2K
8K
0
Policy-based routing ACEs
0.5K
0
0.5K
0
QoS classification ACEs
0.5K
0.5K
0.5K
0.5K
Security ACEs
2K
1K
1K
1K
VLANs
1K
1K
1K
1K -
Hi All
I did not type the following command. Why does it appear when I show run ? Which command can cause the issue? Thank you
mac-address-table static 0000.0c07.ac01 interface FastEthernet1/0 vlan 3Hello,
It looks as if you have HSRP configured. Mac address 0000.0c07.ac01 is the HSRP virtual mac address. 01 at the end of the mac represents the HSRP group number.
Hope this helps,
Please rate helpful answers.
Thanks. -
Cat 2960 shows mac address port as "Drop"
Hi all
I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB. On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan. However, I then see no traffic from the phone on the switch. I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked. There is no static mac address table blocking configured on the switch. Can anyone suggest why this is happening?
Switch Version
Switch Ports Model SW Version SW Image
* 1 50 WS-C2960-48TC-L 15.0(1)SE3 C2960-LANBASEK9-M
Port configuration
interface FastEthernet0/1
description "Standard user port"
switchport access vlan 9
switchport mode access
network-policy 1
no logging event link-status
srr-queue bandwidth share 5 10 40 55
priority-queue out
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab eap
mls qos trust dscp
no snmp trap link-status
macro description vanilla_port
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
end
LLDP-MED network-policy
network-policy profile 1
voice vlan 835
Authentication (debug radius) result
Jul 30 11:42:19.600: %AUTHMGR-5-START: Starting 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %MAB-5-SUCCESS: Authentication successful for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:20.682: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Resulting Switchport config - voice vlan is 835
CLBdg640Test-AS2960-0#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 9 (NATIVE-DISCARD)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 835 (VOICE)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
LLDP neighbor info showing voice vlan 835
CLBdg640Test-AS2960-0#sh lldp neighbors fa0/1 detail
Chassis id: 0.0.0.0
Port id: 0004.f297.6668
Port Description - not advertised
System Name - not advertised
System Description - not advertised
Time remaining: 3558 seconds
System Capabilities: T
Enabled Capabilities: T
Management Addresses - not advertised
Auto Negotiation - supported, enabled
Physical media capabilities:
100base-T2(HD)
100base-TX(FD)
100base-T4
10base-T(FD)
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
MED Information:
MED Codes:
(NP) Network Policy, (LI) Location Identification
(PS) Power Source Entity, (PD) Power Device
(IN) Inventory
Inventory information - not advertised
Capabilities: NP
Device type: Endpoint Class III
Network Policy(Voice): VLAN 835, tagged, Layer-2 priority: 5, DSCP: 46
PD device, Power source: PSE, Power Priority: High, Wattage: 6.5
Location - not advertised
Total entries displayed: 1
MAC address table showing "Drop" port for learned address in VLAN 835
CLBdg640Test-AS2960-0#sh mac address-table address 0004.f297.6668
Mac Address Table
Vlan Mac Address Type Ports
9 0004.f297.6668 STATIC Fa0/1
835 0004.f297.6668 DYNAMIC Drop
Total Mac Addresses for this criterion: 2Thanks for updating the problem raarons!
Maybe you are looking for
-
For the past couple of weeks I've been having this issue. Everything works fine all morning, and then mid-afternoon, Mozilla goes haywire and I get an "unresponsive plugin" error message, telling me Shockwave Flash "has stopped responding". It derail
-
Error message - iPod cannot be synced. iPod Nano 6th Gen
I got this iPod for christmas so I have not had it for a long time. I went to sync it tonight, and when I plugged it in, and error message popped up saying that iPod was not able to be synced ( an unknown error) Any thoughts on why this is happening?
-
Hp officejet 7310xi won't install on windows 7
I have an HP Officejet 7310xi Alll-in-One printer & the full function software will not install. I need Solution center for my scanning needs. I have downloaded the installation numerous times & it will Not install.
-
Encoding a Premiere project with WME
I have an evolving project that I have been able to export audio and video separately (AVI and WAV) then to encode with Windows Media Encoder with good results quite a few times. Then, suddently - and although I have been able to export to DVD succes
-
Can Media Encoder batch update metadata on .mov files?
I discovered an issue with Audition creating a new starting time code on audio files extracted out of Canon 70D .mov files. Details are here: Re: Audition jumps time code forward on audio extracted from a .mov file For what is worth, Premier Pro h