What is the equivalent command on an SRX 5800 box?
The 'show ethernet-switching table' is not available on an SRX.
show bridge mac-table
--Click the star for kudos if you think I earned it.If this post solves your problem, please mark this post as "Accepted Solution".
Thanks for the response pantunes.
That command executes, but it shows no data at all. The 'output' is completely empty.
How is it possible to not have MAC addresses on our Firewall?
The 'show arp' command reports mac/IP data, but this is only for devices that has had specific communication to them and not for devices that it listened to on the net. The 'show ethernet-switching table' shows devices that it listened to on the network regardless if the devices had traffic sent to it or not.
But did you configure bridge domains on your SRX?
There are no bridge domains configured on our SRX.
So, is the 'show arp' the only way on an SRX to find out MAC addresses on the connected interfaces?
'show arp' is not complete - as you probably know - since it only shows MAC addresses for communication that already happened as opposed to devices quietly sitting on the network.
It will be odd if there is no sure way on an SRX to see MAC addresses of all devices, communicated to or not.
If a device hasn't yet "communicated" there is no way to know its MAC.
Our EX device has 222 unique MAC addresses in the 'show ethernet-switching table' output whereas the 'show arp' command shows only 32 MAC addresses.
Why is that?
To my understanding, the 'show arp' only reports devices where 'communication' was sent to, such as a ping, ssh, http or some other direct traffic towards the device. Also to my understanding, the 'show ethernet-switching table' shows all devices that shares a LAN with the local device (EX in this case), regardless if traffic was passed onto it or not.
Now for an SRX device, the 'show ethernet-switching table' does not exist, so how can I see all the MAC addresses that shares LAN(s) with the SRX device?
Our SRX box is a firewall, and since a lot of traffic passes over it, its 'show arp' output is large due to returning packets containing the MAC addresses in it, even if the device is two hops away and not locally attached on a LAN.
So, how can I see all the MAC addresses of devices that reside on LAN(s) that sit right next to our SRX device?
You should review your concepts of ARP and Layer 2 switching. I will explain very briefly:
1- An ARP table is mapping between a MAC address and an IP address. You need an ARP table when you want to send/route an IP packet (Layer 3) to some host. Basically it means: if you send/route an IP packet to IP X please use MAC Y. An ARP table exists on hosts (PCs) and routers.
2- A MAC table is a mapping between a MAC address and a port on a switch. Basically it means: if you want to switch (i.e. Layer 2) a frame destinated to MAC X please forward through port Y. A MAC table exists on a switch.
As you see these are two highly distinct concepts.
On Junos, the following commands can be used:
1- to check the ARP table: show arp
2- to check the MAC table: show ethernet-switching table or show bridge mac-table (it depends of the platform, you haven't said which SRX you are using)
Is your SRX being used as a switch (transparent mode)? It seems not, so forget the MAC table.
In both cases you learn the mappings by listening to the traffic. If some device never sends traffic then your platform has no way to guess its MAC address whether it is for the ARP table or for the MAC table.
So the solution for your problem is to ping IP addresses one by one (or ping broadcast IP addresses of your LANs) and see the result with show arp
Thank you for your thoughtful and clear response.
We are using an SRX 5800 and it is being used as a Firewall. This is probably why there is no MAC table as you indicated, but only an ARP table based on already flowed traffic.
I am new to network administration and also Juniper, so I am learning as quickly as I can, but also avoiding asking too many silly questions along the way.
So, the answer is: to find MAC addresses for devices that connects to our SRX 5800 Firewall, one has to ping it to populate the ARP table and from there get the MAC address.
Thank you again.
This command did not work for me on my MXs running Version 16.1R5.7
Below is what I had to use.
show interfaces mac-database ge-1/0/4