CM end host report

Answered Question
Mar 27th, 2009

on my UT report I got close to 30000 devices don't have neither host name nor ip address. most of the report showed this devices attached to Wirless Access point. which is not managed by LMS.those AP's itself seen as end devices. my question is where is this mac adresses came from is that from switch or from AP's? LMS pull any mac-adress-table from AP's? I am confused and try to understand the whole science behinde user tracking. I am worried about all this unkown mac adresses breach any secutiy. I have another weired information on UT. I have a Solaris test server on my desk. ut report 6 different mac-address for the switch port my server attached too:)

any information highly apperciated.

Correct Answer by Joe Clarke about 7 years 10 months ago

As I said, if the MAC/IP shows up in a managed router's ARP cache, and UT runs an acquisition while it is there, then UT will show the IP. If the ARP entry times out before UT acquisition runs, then you will miss the IP.

UTLite on Windows end hosts is one workaround for this. UTLite will run on the end host, and send updates to Campus with the end host username, MAC, and IP. Additionally, IN CM 5.0 and higher, we have a feature called dynamic User Tracking which can update the UT database in realtime using MAC-ADDRESS-NOTIFICATION traps and DHCP snooping.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 03/27/2009 - 13:41

If the APs are not managed by LMS, then UT is getting those MACs from the upstream wired switches. In order for UT to display IPs associated with MACs, those IPs must be in the ARP tables of routers being managed by Campus Manager. Those routers must appear on the Topology Map with green router icons.

In Campus Manager 5.1, there is a new feature which allows you to track rogue MAC addresses on your network.

Are all six MAC addresses showing the same last seen time in UT? Are you using a switch or hub on your desk?

eliaspaulos Fri, 03/27/2009 - 13:54

thanks a lot, ok about my server attached to switch, yes 5 out of 6 are the same last seen time in UT. other question upstream wire -> means a trunk port from switch to the router? so let say somebody connect to access point or access point detect any mac address from wirless client can be found on upstream wire? one thing I have notice since I did exclude AP's from LMS I got a lot of unkown mac's do you think that can be the cause. just a not 100% all my routers and switches managed by CM.

Joe Clarke Fri, 03/27/2009 - 14:02

Is the switch reporting those five MACs in its MAC table now? If so, then UT is doing what it's supposed to.

The upstream switch is the switch to which the AP connects. Yes, if the APs are connected to the switch via an access port, then all MACs learned by the AP will appear on the wired switch port, and UT will report those MACs as being connected to that port.

Any MAC which is not showing an IP in UT is either not running IP, or no router managed by Campus Manager has that MAC in its ARP table.

eliaspaulos Fri, 03/27/2009 - 14:24

thanks, you answered many of my concerns. one more question is about AP's we have devices using AP's for short time of period time using temporary IP address (DHCP) once they finish there job they give up the ip. do you think those device mac-address registerd on UT through the wire without the ip address since the ip is gone?

thank you so much, this is really abig help.

Correct Answer
Joe Clarke Fri, 03/27/2009 - 14:53

As I said, if the MAC/IP shows up in a managed router's ARP cache, and UT runs an acquisition while it is there, then UT will show the IP. If the ARP entry times out before UT acquisition runs, then you will miss the IP.

UTLite on Windows end hosts is one workaround for this. UTLite will run on the end host, and send updates to Campus with the end host username, MAC, and IP. Additionally, IN CM 5.0 and higher, we have a feature called dynamic User Tracking which can update the UT database in realtime using MAC-ADDRESS-NOTIFICATION traps and DHCP snooping.

Actions

This Discussion