LMS/L2 sw

Answered Question
Sep 13th, 2008
User Badges:
  • Silver, 250 points or more

hello


suppose i have cw LMS connected to a L2 switch. this sw has int vlan 1 shutdown and an IP address in vlan2. cw has an IP in same subnet as int VLAN 2.

v3 exists also in the switch.

can cw/lms track computers in vlan 2 and 3? ie: can we obtain the list of computers attached in each port in this switch?

Correct Answer by Joe Clarke about 8 years 9 months ago

This will not work. The PIX, FWSM, and ASA devices are not supported by Campus Manager, and will not work as routers for UT. What you could do is put another, supported router on the same subnet, and have it act as the default gateway, but simply redirect hosts to the PIX. This device would cache ARP entries, and would allow UT to show MAC addresses with IPs. This is what I do in my lab, and it works quite well.

Correct Answer by Joe Clarke about 8 years 9 months ago

Say a switch has it's management interface in VLAN 2. However, you have access ports on that switch in VLAN 3. User Tracking will walk the BRIDGE-MIB for each VLAN on the switch, and get all connected MAC addresses. It will then query all routers which have interfaces in those same VLANs (i.e. VLANs 2 and 3). It will pull the ARP table from each router, then match the MAC addresses from the ARP table entries up with the MAC addresses from the BRIDGE-MIB entries.


Therefore, each router on every subnet must be managed bu Campus Manager in order for User Tracking to map MAC addresses to IP addresses.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (5 ratings)
Loading.
Joe Clarke Sun, 09/14/2008 - 07:21
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What model of switch?

Satya Siba Sund... Sun, 09/14/2008 - 07:54
User Badges:

it is for all devices, which includes, 2960, 3550,3750,6509 series switches and 3845,7200,2811 routers also. for no device i am getting Management task menue and other report sub menues.

Joe Clarke Sun, 09/14/2008 - 07:58
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

All of these switches can be made to work with User Tracking and SNMPv3. However, you must be running recent IOS, and you must have configured VLAN contexts for your SNMPv3 group. If your switches are running code which supports SNMPv3 contexts, you can run "show snmp context" to get a list of contexts. You must allow your SNMPv3 group to poll each context. For example:


snmp-server group v3group v3 auth context vlan-10


If your switches do not support the "show snmp context" command, then you will need to upgrade. The desktop switches must be running 12.2(25)SEE or higher. The 6509 needs to be running 12.2(18)SXF or higher.

Satya Siba Sund... Sun, 09/14/2008 - 08:19
User Badges:

All my switches and routers are using IOS abobe 12.3x and cisco works was working fine with this. just due to Server Upgradation I had to install this freshly in a new server. After that only this problem is comming. Infact I had added the devices to DCR through bulk import and User tracking , i have not configured till yet. Do I need to enable SNMP v3 on all devices for this???

Joe Clarke Sun, 09/14/2008 - 08:23
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It occurred to me, you're replying on the wrong thread.

ohassairi Sun, 09/14/2008 - 21:38
User Badges:
  • Silver, 250 points or more

thank you for the help, but i think i must first understand snmp v3 and snmp context because i am not familiar with them.

can you explain it briefly or suggest a link?

ohassairi Wed, 10/22/2008 - 03:48
User Badges:
  • Silver, 250 points or more

hi jclarke


i am afraid you consider the "v3" in my question as "version3". in fact i mean VLAN3.

so please can you review my question: can cwlms track users (IP/MAC@/port) that are in one L2 vlan different from the vlan to witch is connected ?

Joe Clarke Wed, 10/22/2008 - 09:07
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Sure, this is possible. User Tracking will walk the MAC tables from each VLAN on the switch using community string indexing (if you are using SNMPv1/v2c). This means that community strings on Cisco switches CANNOT contain '@' characters.

ohassairi Wed, 10/22/2008 - 20:23
User Badges:
  • Silver, 250 points or more

ok for MAC addresses, but for IPs (that belongs to different subnets) i think it can't.

can we say that lms must have the ability to ping computers, in order to get them in end hosts details?

Joe Clarke Wed, 10/22/2008 - 20:57
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

No, UT can get IP addresses for end hosts on any subnet provided the router for that subnet has been properly Data Collected. While the duplicate resolution code in UT does rely on ping to weed out old duplicate entries, you can specify which IPs cannot be pinged by listing them in the UTNoICMPCheckHostAddress property in NMSROOT/campus/etc/cwsi/ut.properties.

ohassairi Sat, 10/25/2008 - 23:28
User Badges:
  • Silver, 250 points or more

you said " UT can get IP addresses for end hosts on any subnet provided the router for that subnet has been properly Data "


i didn't understand your sentence. can you explain more.


thanks

Correct Answer
Joe Clarke Sun, 10/26/2008 - 11:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Say a switch has it's management interface in VLAN 2. However, you have access ports on that switch in VLAN 3. User Tracking will walk the BRIDGE-MIB for each VLAN on the switch, and get all connected MAC addresses. It will then query all routers which have interfaces in those same VLANs (i.e. VLANs 2 and 3). It will pull the ARP table from each router, then match the MAC addresses from the ARP table entries up with the MAC addresses from the BRIDGE-MIB entries.


Therefore, each router on every subnet must be managed bu Campus Manager in order for User Tracking to map MAC addresses to IP addresses.

ohassairi Sun, 10/26/2008 - 21:34
User Badges:
  • Silver, 250 points or more

thank you very much for clarifications.

in my situation, i have a PIX firewall that has DMZ interfaces in vlan 3,4 , 5...

so i think it's the same thing as router. CW should query ARP table in firewall.

my firewall is managed by CW, and in end host report, i can see MAC addresses in each switch-port but in IP column, i only get IP addresses of 2 devices!

may be i should increase ARP timeout in PIX?

Correct Answer
Joe Clarke Sun, 10/26/2008 - 22:14
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This will not work. The PIX, FWSM, and ASA devices are not supported by Campus Manager, and will not work as routers for UT. What you could do is put another, supported router on the same subnet, and have it act as the default gateway, but simply redirect hosts to the PIX. This device would cache ARP entries, and would allow UT to show MAC addresses with IPs. This is what I do in my lab, and it works quite well.

ohassairi Mon, 10/27/2008 - 00:44
User Badges:
  • Silver, 250 points or more

thanks joe.

i hope cisco will integrate firewalls in campus manager for next LMS versions.

because i can't add a rtr for every DMZ.


thanks again.

Joe Clarke Mon, 10/27/2008 - 08:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Firewall device support is not planned as they do not support CDP.

jorjes1984 Thu, 05/19/2011 - 03:03
User Badges:

HI Joseph

Have this been resloved in LMS v4.0.1?


I have an ASA 5580 as a gateway for all users, Can we retrieve the ARP information from it in order to support User Tracking?


Regards,

Georges

Marvin Rhoads Thu, 05/19/2011 - 07:31
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Cisco firewalls (ASA, FWSM, or Pix) continue to not be supported for collection of UT data with CiscoWorks LMS (of any release level).


As Joe stated in the earlier sections of this thread, no support is planned since those devices do not support (enough of) the fundamental technologies that LMS uses to gather UT data.

Joe Clarke Thu, 05/19/2011 - 15:55
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, this is correct.  Firewalls are still not supported in Campus/Topology and UT.  These firewalls do not support the at or ipNetToMediaTables anyway in order to provide ARP information via SNMP.

Actions

This Discussion