User Tracking Oddity

Unanswered Question
Joe Clarke Tue, 10/02/2007 - 12:24
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sounds like a pop-up blocker to me. If you put in a query that has no hits, the window will quickly disappear, and a pop-up window will appear in its place. If you have a popup blocker in your browser, then the popup window telling you that there was no data matched by the query.

ernestly Tue, 10/02/2007 - 17:15
User Badges:

Hi jclarke,


how accurate is this user tracking from LMS/Campus manager. There are times that I tried using this feature to find out if a particular IP address is being used by any host in the network. So just wondering how accurate it is when the user tracking returns a result saying that the IP does not belongs to any host in the network.


Regards

Joe Clarke Wed, 10/03/2007 - 07:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

User Tracking 4.x is only as accurate as your acquisition interval. It is quite possible that you could miss users on your network if they connect then disconnect between acquisitions. As for the accuracy of the information acquired, it should be perfect given properly configured devices with no bugs (ha!). In other words, the algorithm is sound. If you're certain an IP address must exist, then it is either that a new UT acquisition needs to run, or there is a config or device problem.


User Tracking 5.0 is more accurate since it can use MAC address notification traps to detect users entering and exiting the network in near real-time.

Hey there jclarke -


So UT has done a discovery and all, but another strange thing... A lot of addresses simply have the MAC address listed, but not the IP address. I am using the host I am browsing to Ciscoworks on as an example. It lists the switch, port, VLAN, MAC, but no IP address. Please advise! Thanks!

jedavis Thu, 10/11/2007 - 04:34
User Badges:

Someone correct me if I am wrong, but I believe that UT has to poll the ARP table of a layer 3 device to resolve the MAC/IP relationship. This would preferably be the default gateway(s) for the LAN.


I have a similar situation with some internal LANs that are behind ASA firewalls. Devices behind the ASAs use the ASA as the default gateway address, and the IP addresses for these devices do not show up in UT reports. To add them, I dump the ASA ARP table into an MS Excel spreadsheet and use a VLOOKUP function to match the MAC to the IP. Any hope of ever getting UT to recognize the ASA as an L3 device and automating this process?

Joe Clarke Thu, 10/11/2007 - 08:16
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Since the ASA, PIX, and FWSM devices do not support CDP, it is unlikely they will ever be supported by Campus Manager. As a workaround to this, I use a sacrificial router on my DMZ subnet that collects ARP entries. It isn't perfect, but it gets a lot of the active hosts.

jedavis Thu, 10/11/2007 - 04:22
User Badges:

One thing to watch out for with user tracking is that it seems to key on the switch CAM tables. In other words, a switch port may be active, but unless there is a MAC address associated with the port then user tracking will not record an entry in it's DB. So if you have devices that don't communicate for long periods of time they will not show up in user tracking. For example, in my environment we have some devices that start talking on the network only when an exceptional condition occurs, which may be once a month or so. These do not show up in user tracking.


A practice which helps mitigate this problem is to raise the mac address aging times on your switches. The default is 5 minutes. I generally use 4 hours to match the layer 3 ARP aging.

Joe Clarke Thu, 10/11/2007 - 08:16
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Performing ping sweeps prior to UT acquisition should get around this problem.

jedavis Thu, 10/11/2007 - 10:43
User Badges:

Oddly enough, I just noticed that sometimes the IP address does show up in the UT report on these firewalled LANs. On a LAN where the ASA is the only layer 3 Cisco device, the IP address shows up for 25 of the 91 entries. Where would UT be picking these up?


Also, I was going to suggest that it would be great if a ping sweep option was built into UT acquisition. Then I checked and discovered there already was (been a long time since I configured this!). A couple of questions though:


1) Wait interval. What is this? Wait interval between what events?

2) The documentation states that ping sweeps will not be performed for "large subnets", but doesn't define exactly what constitutes a large subnet. It states "For example, subnets containing Class A and B addresses". What does this mean? If I have an address that falls within the classic class B range, yet it has say, a /22 mask, will it be excluded?

Joe Clarke Thu, 10/11/2007 - 10:50
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to put a supported router on the subnet, crank its ARP timeout to max, and see what entries you get.


1. Wait between pings. By default, this is 0. That could cause some interesting IDS events on some networks.


2. Ping sweep will only sweep subnets that are class C or smaller. Any thing bigger than a /24 will not be swept.

jedavis Thu, 10/11/2007 - 10:56
User Badges:

Thanks. But on the first point, my question is where UT is getting the few addresses that it does on these firewalled Vlans today. There is no supported router with an interface on this particular LAN, yet UT is coming up with IP addresses somewhere. Where?

Actions

This Discussion