Our IAPs are logging the dropped traffic of clients using wrong IPv4 addresses and even more wrong IPv6 addresses. I'd like to figure out the client's MAC address and learn which device is sending this traffic, but that Layer2 information is not included in the syslog message:
cb-a1-ap# sh log security
Sep 20 16:46:42 stm[5258]: <124006> <WARN> |AP
cb-a1-ap@10.201.4.121 stm| proto = 32 srcip=32.192.1.132 dstip=65.152.37.92, dpi-dst=App Unknown, action=deny
Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP
cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:f56:a04:33f:1139:cf3:fa5a:1bb dstip=15f9:35a1:abd2:5781:8011:401:be39:0, action=deny
Sep 20 16:49:47 stm[5258]: <124006> <WARN> |AP
cb-a1-ap@10.201.4.121 stm| proto = 0 srcip=4006:8a4f:a04:33f:4815:5b1d:fa5c:50 dstip=1427:10e5:ac6a:f6e2:8010:401:3d03:0, action=deny
Is there a place to look to see which client sent this traffic?
Thank you for your thoughts!
------------------------------
--Scot
------------------------------