MX64 - how to identify which mac addresses is attached to which interface

SOLVED
Ole_Soerensen
Here to help

MX64 - how to identify which mac addresses is attached to which interface

The ASA command equivalent to see this sort of info would be "show switch mac-address-table".

 

I can run an arp request on the MX, but that is close to useless since it only list.. well ARP .. ip to mac... no interface info is given.

 

Anyone found a way to display this info, that I am not aware of  ?

 

BR /Ole

1 ACCEPTED SOLUTION

Hi Everyone,

 

Thank you very much for the feedback. This is a valid feature request. We have been working on some improvements to MX ports section. I will really like to discuss over WebEx if possible with anyone on this thread. I will like to ask a few questions to help guide our team as continue to improve the Meraki MX platform. Please feel free to send me a direct message.

 

Thanks again.

 

 

[MOD NOTE: Marking this as the solution for greater visibility, NOT to indicate that the issue is solved. Cheers!]

View solution in original post

45 REPLIES 45
PhilipDAth
Kind of a big deal
Kind of a big deal

Cisco switches have the "show switch mac-address-table".  A Cisco Meraki switch has similar functionality.

 

Cisco ASA's do not have the "show switch ..." command, and alas neither do Meraki MX appliances.


@PhilipDAth wrote:

Cisco ASA's do not have the "show switch ..." 


Well... that's not correct - for your information this is depending on model of ASA:

ASA5505# sh switch mac-address-table
Legend: Age - entry expiration time in seconds

Mac Address | VLAN | Type | Age | Port
-------------------------------------------------------
0011.3278.xxxx | 0001 | dynamic | 287 | Et0/1
0011.327b.xxxx | 0001 | dynamic | 287 | Et0/1
0017.8816.xxxx | 0001 | dynamic | 287 | Et0/2
0018.a977.xxxx | 0001 | dynamic | 287 | Et0/1
001d.9404.xxxx | 0001 | dynamic | 287 | Et0/3
0022.6b74.xxxx | 0001 | dynamic | 287 | Et0/1
0023.5ec6.xxxx | 0001 | static | - | In0/1
189c.5df4.xxxx | 0001 | dynamic | 287 | Et0/1
...

 

Best regards.

Preben Knudsen

I might be relativly new to Meraki, but im far from new to the Classic and Security portfolio, and I assure you, That the command “show switch mac-address-table” is very much an ASA “thing”!

On the smaller platforms (Those With a build in switch module) the 5505 as an exampel.. This command is very usefull in remote troubleshooting... to check if Things are attached as expected.. and I miss it on the Meraki MX... especialy since the MS Switches has this kind of info on parade (incl vendor lookup etc 😊

 

@Ole_Soerensen well lets just say the switch command does not exist on any current model ASA.

@PhilipDAth Ok, I haven´t tried it on the new 5506-x, but was kinda expecting the command to work as it did on the 5505.. have you verified the absence of the command on the 5506-x? - Otherwise I will check myself whenI get around to it.

 

br /Ole

The 5506 no longer has switch ports on it.  Only routed interfaces,

Mr_IT_Guy
A model citizen

If it were possible to do this, I'd be SOOOOO HAPPY. Alas, every day I'm putting in wishes to make this a possibility...

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Terrence
Here to help

In the dashboard go to the site that you want to look at.

go to network-wide

In the clients section, click on the +

Add port and mac address

The clients section will now show you the port  and mac of the clients.

CMNO, Dell Certified, A+


@Terrence wrote:

In the dashboard go to the site that you want to look at.

go to network-wide

In the clients section, click on the +

Add port and mac address

The clients section will now show you the port  and mac of the clients.


Not quite... only for the switch - Not the MX firewall... But would be SOOOO nice if it where true.

I'm also requesting the feature Ole is asking for... which is to having more information on connected devices to the MX firewall, just like the Meraki switch...

 

Best regards

Preben Knudsen

TW
Conversationalist

Same issue for the MX65.. This option is very usefull when you have to make a remote troubleshooting. 

 

On the client view, we have only these options:

mx65.png

jamesht
Here to help

I also wish we had a way into looking at every since port on an MX64/65 even if it meant going to mx.meraki.com or setup.meraki.com and seeing the MAC address of every port it makes no sense how you cannot click on the security appliance ports like you can on the MS120 page and see what is connected or how you can go to clients list and see ports and MAC but again that is only displaying info for the switch why is the appliance always left out

 

for those of you wondering I have used the dashboard and the GUI of my cable modem and our netreo/omnicenter monitoring service to conclude the following

 

if the base MAC ends in say xx:50 then the LAN4 aka WAN2 will end in xx:54 and INTERNET aka WAN1 will end in xx:55 and no matter which port you plug your MS switch to port 1 or 2 or 3 it will always have the base MAC xx:50

 

I plugged my switch into port 2 and 3 and it still reads base MAC of xx:50 I can see that in clients and in uplink port 24 on the switch or port 8 depending on with Meraki switch you have

Cisco/Meraki,

 

This is absolutely essential. So much time is wasted calling up remote clients, having Grannie Smith try to trace a client device's cable through several bundles which some local repair tech "helpfully" zip-tied together... It's a blasted wreck, and there's no reason that the device should be unable to tell me what port its clients are connected to.

 

Thanks!

@MegaSmithers  Meraki switches can tell you what port a device is connected too.  Just add those columns to the display.  Tracing cables is the old way of doing things.  No one does that anymore.

 

a.PNG

Do you know about magic URLs like switch.meraki.com that a user can type into their browser to also establish where they are plugged into?  You can learn about these here:

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

the original post is referring to and asking about the MX64 security appliance we are not discussing what you can do on the switch page of the dashboard. with that said the "security appliance & SD WAN" page of an MX64 is very basic and offers no granular control over each individual port(s) 1-4 & internet.
GIdenJoe
Kind of a big deal
Kind of a big deal

To quickly know of the WAN interface try sending traffic through it and at the same time execute a capture using dashboard on the internet (WAN1 or 2 depending on where you send it).  Just use the display you don't even need to use the pcap file option and you can see the mac address your mx uses.

 

In normal circumstances  without using VLANs on your WAN, the MAC address on WAN1 is always 1 higher than the system MAC and WAN2 is 2 higher.
If using warm spare there is a virtual mac being used but the last part also related to the system mac part.

no it is not +1 or +2 did you even bother to read my post if the base mac for example is xx:xx:xx:xx:1c:c0 then port 4 used for wan2 would be 1c:c4 and port 5 aka internet for wan1 would be 1c:c5 🤦‍♂️

Clipboard02.png

in your own lab environment if you had say a cable modem plugged up to wan1 you can log into it and see the device list and you will find it is correct like above or you can call your ISP and ask what mac is bound to their CPE and it will match accordingly

GIdenJoe
Kind of a big deal
Kind of a big deal

Sorry, I'm used more to have MX84 appliances and the WAN's are numbered 1 and 2 instead of 4 and Internet (5).
Just wanted to make my point that a packet capture on the dashboard always shows the correct MAC.

Yes I did read the post wrong, I thought he meant the outgoing interface of the appliance, not the MAC's on the segments in front of the MX, sorry again 😉

yikes that's not confusing at all thanks good to know it starts from internet 1 and 2 so +1 +2 to base MAC

It's March 4 2020, and having access to many MX 64 and 65 units that I manage with latest firmware, it is confirmed there is no Port option in the column expansion options for the Network-Side > Clients list page.

It is June 17th 2020 and this feature still does not exist!  It would make so much sense if it did!  I need it right now as a matter of fact! 🙂

 

rif

Yes I second that, again.  Meraki devices have an inconsistent experience.  It's all about remote and cloud management, simplified IT, etc. etc., and yet a most basic feature that 100% of network admins would say they need, is non-existent.  Sad to say but it demonstrates poor judgement and inconsistent marketing.  MX64/65 units are the primary go-to for anyone taking the promo webinar to get their first taste of Meraki, and yet the product is missing, again, what 100% of network admins would say is a critical feature and so basic to implement it shows a lack of product maturity to be missing it.  Anyway, not much point in getting into all this again but thanks for the timeline update!   I hope someone will keep a pulse on this issue over the months (or years....).  


@ValleyITPC wrote:

MX64/65 units are the primary go-to for anyone taking the promo webinar to get their first taste of Meraki, and yet the product is missing, again, what 100% of network admins would say is a critical feature and so basic to implement it shows a lack of product maturity to be missing it. 


I tend to disagree, and even that makes it less than 100% 😉 Yes, the MX is definitely missing things but you already mentioned its strengths: ease of operation, Cloud based management, constant improvement and especially integration into the Meraki (and Cisco) ecosystem. It's about taking a fresh approach to things, of course this is breaking some "old school" thinking!

 

Just be aware of MXs shortcomings and you can be very happy with it! Of course don't stop bugging Meraki for the features desperately needed. 😉

cmr
Kind of a big deal
Kind of a big deal

It was added to the dashboard about 6 months ago and had an issue where some of the information was displayed for the neighbouring port (1 up or down, I can't quite remember) so it was withdrawn within a week.  It does definitely deserve a comeback, @MerakiDave can we find out what happened to the ports page for MXs?

+1!

 

rif

jbaker
Conversationalist

Perhaps ValleyITPC barely overstated it by claiming 100% of admins would agree... but I have quite a bit of trouble in believing that it is less than 99.99% who would agree. -- This is NOT a request for support of "old school" thinking. Are you sure you understand what people are asking for in this thread, for you to dismiss it that way? Because this is exactly the opposite, where knowing port information for a downstream device WITHOUT having to be physically present or go trace the cable, I would say (in agreement with ValleyITPC) is PRECISELY the more modern, cloud-based approach to things.

 

Every admin who is doing much more work on a network than whatever it is that my hometown barber shop does for theirs, is going to need to figure out WHICH PORT a certain device is connected to at some point or another... E.g. So that they can make changes to that individual device's VLAN / DHCP scope perhaps... or else to determine if it is safe to limit bandwidth or apply a Group Policy on a port, based on which downstream devices connected to a "dumb switch" would be affected at once... Or perhaps to actually track down where some """helpful""" yahoo at the MX's site has installed the newest "dumb switch" on a downstream port without the admin's knowledge... Or any number of other issues, like a remote admin having an on-site technician (or untrained end-user, who would definitely trace a cable incorrectly even if their life somehow depended on it) to unplug the correct cable for them to then relocate that particular device to another port or remove it entirely.

 

Not being able to see this VERY BASIC INFO that Meraki MX devices simply will not reveal for some truly unfathomable reason is what is frustrating to so many people like myself. -- I'm glad to hear that your network is so simple (or else, so flawlessly documented by every, single, solitary person making the slightest change, either physical or logical) that you apparently never have these sorts of problems... or maybe you simply don't mind wasting an hour driving (or heck, 8 hours flying) to a remote location to trace a cable down... However, the rest of us who live in what I would call the real world, run into them all the time, and have to go to excess and quite wasteful effort to resolve them, precisely because of this tragic flaw in the MX admin interface.

 

There are, as you say, very many reasons to be happy with Meraki of course. Their rather inconsistent reporting of current VPN status is not one to be happy over, nor is the unpredictable delay before updates are applied (vs. ssh-ing into a Cisco switch for example), and several other such things... HOWEVER all of those are INDEED things that we (generally) accept as being shortcomings that are reasonable tradeoffs because it is cloud-based. -- But honestly and quite simply, this is not one of those "reasonable" ones... This issue (along with the complete inability to similarly put even a simple DESCRIPTION in an MX port's config) is the kind of glaring omission that should have been addressed in the beta or even alpha version of their software, much less this many years after their MX products have been on the market.

 

Come on, Meraki, get on the ball already with this one!

 

That was a mouthful but I read the entirety and enjoyed it.  

So today is Oct 1 2020.  When logging into my MX67's I see I can still edit the Clients view to add a Port column.  FYI to anyone that doesn't know, there's also a Connected To column option, which I think perhaps is just for AP's, or that's all I saw when I was in there.  

 

Still cannot do this on the MX65. 

 

I can't seem to track down any MX64's at the moment to check.  

 

I think this one just needs to get some priority for it to get done.  It's the kind of thing that should get done as a matter of embarrassment not having it, over new features. I do try to stay positive, but if I'm ever on the phone remotely with a client that says "can't you even see which is connected to what port?, now I have to pay you to drive or fly out here???", my first thought will be "damn you Meraki, c'mon for F sakes get your sh** together".  Luckily that hasn't happened for me yet.  

 

Perhaps the MX64/65 memory space is so packed that adding the logic and table adjustments to process this feature creates a shuffle effect requiring adjustments all around.  I'm not a developer but I just don't really see why this isn't put in yet, unless as I think I said once before, it's for product positioning reasons why someone mistakenly thinks it's a good idea to leave this basic thing out to drive adoption of higher end MX's that do provide this visibility.  

 

One thing that I do wish Cisco could do more of is participate in these forums.  To compare, Symantec has been very disconnected over the years from their customer base, and in many ways still suck because they outsource all their frontline support to new overseas teams with little experience and poor logistical/training support, but this year since the Broadcom merger and a change up in their endpoint security product lines, their senior tech, engineering, and product management people are all over the forums on a daily basis.  This creates real engagement and feedback loops, rather than what sort of seems the case at Cisco where frustrations are vented, mixed in with real feedback that's probably lost in the mix.  Maybe Cisco quietly monitors the forums for info, but I guess participation is very limited by what I've seen. I can't say enough thanks fo the MVP/frequent-poster type people on here.  They are the lifeblood of any tech company - even if that tech company is too lame-brained to realize it.  MVP's should be paid for this work as a show of appreciation, as it reduces support calls and well, anyway.  Thank you to you guys on that.  

 

Here's hoping somebody in engineering gets this Ports thing done.  Meanwhile it remains one reason why Meraki MX64/65 units are not ideal remote connectivity solutions for times when nobody onsite is able to trace cables through the walls and ceiling.  🙂

cmr
Kind of a big deal
Kind of a big deal

@ValleyITPC are you sure you are seeing the port for an MX, I only have this option for combined networks that include an MX and when you look at the connected to, the devices that have an MX there have no port.  If I go to an MX only network (even with an MX250) I don't get this option.

... me too!  I'd say still no option for port/mac address association on ANY stand alone MX 😞

 

rif

"When logging into my MX67's I see I can still edit the Clients view to add a Port column."  I am logged into an MX67 running MX 14.42 but do not see an option for "port" in the in the Clients view add a column option.  Is it only available on later software releases?

 

rif

jbaker
Conversationalist


@ValleyITPC wrote:

That was a mouthful but I read the entirety and enjoyed it.  

[...]

 

Still cannot do this on the MX65. 

 

I can't seem to track down any MX64's at the moment to check.  


Yeah, @ValleyITPC, I knew I was getting carried away (almost decided to cancel my post 3 separate times - LOL) but glad you enjoyed it despite the rambling length of it. 😀

 

Anyway, I can confirm for you that the MX64W is not an exception to the rule either... No Port option in its client view. And like the post from @cmr about the higher-end MX250, I can confirm that at least the MX84 and the MX100 both do not have it either. -- We even have the newer MX67C and MX68CW in a few places, and unfortunately neither of those support it either when I look at them.

 


@ValleyITPC wrote:

I think this one just needs to get some priority for it to get done.  It's the kind of thing that should get done as a matter of embarrassment not having it, over new features. I do try to stay positive, but if I'm ever on the phone remotely with a client that says "can't you even see which is connected to what port?, now I have to pay you to drive or fly out here???", my first thought will be "damn you Meraki, c'mon for F sakes get your sh** together".  Luckily that hasn't happened for me yet.  

HA!! @ValleyITPC, I think that's what they call a "flag"! -- So, good luck this weekend, 'cause I have a feeling you may need a little! 🤣

Ah ha.  I'm a dummy.  So, I do have a Ports column, but I think it's only being populated due to the MS120. Even though, if I click on the port # (as seen in the screenshot), it brings me to the MX appliance page and not the MS page. And obviously, I can't have a Port 6 on an MX67 that has only 4 lan ports, so that kind of confirms that it's the MS it is bringing in here.  Tricksey tricksey!  

 

Hey @jbaker , what do you mean by this weekend?  Something happening I don't know about? lol

 

ValleyITPC_0-1601580873098.png

 

Guess what everyone.... the Meraki mobile app shows client port numbers!  before you get to excited the there seems to be a bug there as well.  when you first click on a client it brings you to the "usage" tab there it shows a port number in green.  for instance the one i am looking at now reads port 4 via the mac address of the mx but when you click on the "details" tab and scroll down to "wired connection"  it says port 3.  it is the latter reading that seems correct.  if they have this kinda working on the mobile app i wonder why it doesn't appear in the Dashboard?

 

rif

cmr
Kind of a big deal
Kind of a big deal

@rafaelertel This was the same issue that the dashboard page had and it was pulled after a few days never to return 🙁

... ah yes i seem to remember that being mentioned earlier.

 

rif 

Hi Everyone,

 

Thank you very much for the feedback. This is a valid feature request. We have been working on some improvements to MX ports section. I will really like to discuss over WebEx if possible with anyone on this thread. I will like to ask a few questions to help guide our team as continue to improve the Meraki MX platform. Please feel free to send me a direct message.

 

Thanks again.

 

 

[MOD NOTE: Marking this as the solution for greater visibility, NOT to indicate that the issue is solved. Cheers!]

@Bsalami  I imagine others on here are better suited for a full conversation on feature improvements than I am.  I'm good at spotting issues, but I only go into the dashboard on occasion for each of my clients so I hadn't to date compiled an actual list of things. 

 

Well, one thing that is still an issue to some extent, is why does Apple FaceTime perform so poorly through Meraki hardware.  I have different Cisco networks here, one based on Meraki gear, another based on RV and WAP hardware, and some ASA and other things.  Facetime only ever has problems when I am on Meraki.  This is a known issue, commented on often in this forum and elsewhere, and while I don't spend a lot of time researching this one, I wonder why?  Is it a certain protocol?  Is Cisco using standards whereas Facetime violates them, thus the issue, or vice versa, or is WMM default settings having a problem, etc.  

 

When I have issues with FAcetime I just change over to another net and the issues always go away so that's my workaround, but it'd be great to understand why this is the case and, it's not the positioning of the AP's or what not.  I could start a Zoom meeting from my phone, standing in exactly the same spot as I was for Facetime (which I've done a few times).  Zoom works, Facetime has issues.  

 

Odd stuff! 🙂

@ValleyITPC Everybody's input is definitely welcomed and highly valued. I will send you a direct message to address the FaceTime inquiry so that we keep this thread consistent on the MAC address to port mapping issue or We can create a new thread for that. 

@rafaelertel Thanks for your time and input today!


I would encourage everyone on this thread who desires this mac address functionality to DM Bsalami.  We met via Webex and he was very receptive to our request for this functionality.

 

rif

@Bsalami   If your request is still valid, I am more than willing to participate, if it can get us any closer to a solution.

Did the WebEx take place? What is the status? Will this be implemented soon?

 

Thank you!

Bsalami
Meraki Employee
Meraki Employee

@Ole_Soerensen Absolutely, I'll send you a DM.

Has there been any movement on this?

What about API options to gather this information?

I have neither seen nor heard of any updates 😞

Hi Bsalami,

Do you have an update around being able to see mac addresses on lan ports of meraki mx devices?

For MX68's, since not very long you can see what client is connected to what MX68 port in the Clients overview.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels