UT for hosts in DMZ

Answered Question
Jan 26th, 2010

hello

CWLMS 3.2 can see most of computers in UT end host.

However we have some servers that it cannot see. These one are located in ASA firewall DMZs.

Is this normal ? or is there any way to  let it see these servers?.

Notes:

1-      CW can ping these servers

2-      These servers are connected to discovered Cisco switches

Correct Answer by Joe Clarke about 7 years 3 weeks ago

Your SNMPv3 configuration looks wrong.  You've assigned the VLAN contexts to a group, campusgroup; however, I think you wanted to assign them to MLMg.  That is, you need to use the group of which your SNMPv3 user is a member.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Joe Clarke Tue, 01/26/2010 - 22:52

These end hosts should be visible in UT provided the switches are data collected by Campus, and show up as green on the Campus topology map.  In other words, there should be nothing different between UT getting end hosts from these switches vs. any others on the network.  The only problem you may see is that UT will not get their IP addresses as it sounds like the ASA is routing for these DMZs, and Campus does not support firewalls for getting the ARP table.

ohassairi Wed, 01/27/2010 - 00:20

yes joe

for routers connected to this switch, i can see them green in campus topology map.

however if i search for windows PC in this switch, using user tracking or

UT End Host Report i can't find any PC!!!.

so if i understand your answer, this is normal and there is no workaround ! isn't it?

Joe Clarke Wed, 01/27/2010 - 19:25

Routers or switches?  End hosts connected to routers (even those with switch modules) will not show up in UT.  End hosts connected to switches should show up, but you may only be able to search for them by MAC address.

ohassairi Wed, 01/27/2010 - 21:12

hi joe

no, i am not speaking about end hosts connected to routers. i am searching for our public servers connected to DMZ using VLANs in one discovered switch.

well, i tried seraching them by MAC address but i can't find any one!

Joe Clarke Fri, 01/29/2010 - 18:52

Post a show run and show ver from one affected DMZ switch.  Also post the "show int status" and "show mac-address-table" outputs from this switch.  From the server, post the NMSROOT/campus/etc/cwsi/portsData.xml and vlanData.xml files.

ohassairi Sat, 01/30/2010 - 23:20

attached file contains the requested infos for switch 10.151.50.1

ohassairi Sat, 01/30/2010 - 23:29

                                                                                                                                                        

Sho version

internet sw#sho version

Cisco IOS Software, C3750 Software (C3750 IPBASE M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Copyright (c) 1986 2007 by Cisco Systems, Inc.

Compiled Thu 19 Jul 07 19:15 by nachen

Image text base: 0x00003000, data base: 0x01080000

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750 HBOOT M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)

internet sw uptime is 2 weeks, 4 days, 19 hours, 47 minutes

System returned to ROM by power on

System restarted at 11:09:56 UTC Tue Jan 12 2010

System image file is "flash:c3750 ipbase mz.122 35.SE5/c3750 ipbase mz.122 35.SE5.bin"

cisco WS C3750 48P (PowerPC405) processor (revision M0) with 118784K/12280K bytes of memory.

Processor board ID FDO1302X0WD

Last reset from power on

3 Virtual Ethernet interfaces

48 FastEthernet interfaces

4 Gigabit Ethernet interfaces

The password recovery mechanism is enabled.

512K bytes of flash simulated non volatile configuration memory.

Base ethernet MAC Address       : 00:24:97:B5:72:80

Motherboard assembly number     : 73 9675 13

Power supply part number        : 341 0029 05

Motherboard serial number       : FDO13020M0B

Power supply serial number      : LIT12490CVL

Model revision number           : M0

Motherboard revision number     : B0

Model number                    : WS C3750 48PS S

System serial number            : FDO1302X0WD

SFP Module assembly part number : 73 7757 03

SFP Module revision Number      : A0

SFP Module serial number        : FDO13020CND

Top Assembly Part Number        : 800 25858 04

Top Assembly Revision Number    : C0

Version ID                      : V06

CLEI Code Number                : COMUX10ARA

Hardware Board Revision Number  : 0x01

Switch   Ports  Model              SW Version              SW Image

                                                                    

*    1   52     WS C3750 48P       12.2(35)SE5             C3750 IPBASE M

Configuration register is 0xF

Sho run

hostname internet sw

!

enable secret xxxxxxxxxxxxxxxxxxxx

!

username swadmin password 7 xxxxxxxxxxxxxxxxx

!

aaa session id common

switch 1 provision ws c3750 48p

system mtu routing 1500

vtp mode transparent

ip subnet zero

!

!

!

!

no file verify auto

!

spanning tree mode pvst

spanning tree extend system id

no spanning tree vlan 1

!

vlan internal allocation policy ascending

!

vlan 151 155

!

interface FastEthernet1/0/1

switchport access vlan 151

speed 100

duplex full

spanning tree portfast

!

interface FastEthernet1/0/2

switchport access vlan 151

speed 100

……………………

!

interface FastEthernet1/0/47

speed 100

duplex full

!

interface FastEthernet1/0/48

description PDM

switchport access vlan 151

speed 100

duplex full

spanning tree portfast

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface Vlan1

no ip address

no ip route cache

shutdown

!

interface Vlan151

ip address 10.151.50.1 255.255.0.0

no ip route cache

!

interface Vlan154

no ip address

no ip route cache

shutdown

!

ip default gateway 10.w.w.w

ip classless

!

ip access list standard SNMP SERVERS

permit 10.x.y.z

permit 10.x.y.t

!

logging trap debugging

logging 10.x.y.z

access list 1 permit 10.x.y.z

snmp server engineID local 000000090200003085F0F480

snmp server group MLMg v3 auth access SNMP SERVERS

snmp server group MLMu_2oo9 v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp server group campusgroup v3 auth context DMZ read campusview write campusview

snmp server group campusgroup v3 auth context vlan 1 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 151 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 152 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 154 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 155 read campusview write campusview

snmp server view campusview internet included

snmp server location Internet Edge

snmp server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp server enable traps tty

snmp server enable traps cluster

snmp server enable traps fru ctrl

snmp server enable traps entity

snmp server enable traps cpu threshold

snmp server enable traps power ethernet group 1 9

snmp server enable traps vtp

snmp server enable traps vlancreate

snmp server enable traps vlandelete

snmp server enable traps flash insertion removal

snmp server enable traps port security

snmp server enable traps envmon fan shutdown supply temperature status

snmp server enable traps mac notification

snmp server enable traps stackwise

snmp server enable traps license

snmp server enable traps config copy

snmp server enable traps config

snmp server enable traps hsrp

snmp server enable traps rtr

snmp server enable traps bridge newroot topologychange

snmp server enable traps stpx inconsistency root inconsistency loop inconsistency

snmp server enable traps syslog

snmp server enable traps vlan membership

snmp server host 10.x.y.z version 3 auth MLMu_2oo9

tacacs server host 10.e.e.e. key 7 qqqqqq

tacacs server directed request

radius server source ports 1645 1646

!

control plane

!

!

internet sw#sho interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type

Fa1/0/1                      notconnect   151          full    100 10/100BaseTX

Fa1/0/2                      notconnect   151          full    100 10/100BaseTX

Fa1/0/3                      connected    151          full    100 10/100BaseTX

Fa1/0/4                      notconnect   151          full    100 10/100BaseTX

Fa1/0/5                      connected    151          full    100 10/100BaseTX

Fa1/0/6                      notconnect   151          full    100 10/100BaseTX

Fa1/0/7                connected    151          full    100 10/100BaseTX

Fa1/0/8                      connected    151          full    100 10/100BaseTX

Fa1/0/9                      connected    151          full    100 10/100BaseTX

Fa1/0/10              connected    151          full    100 10/100BaseTX

Fa1/0/11                     connected    152          full    100 10/100BaseTX

Fa1/0/12                     connected    152          full    100 10/100BaseTX

Fa1/0/13                     notconnect   152          full    100 10/100BaseTX

Fa1/0/14                     connected    152          full    100 10/100BaseTX

Fa1/0/15                     connected    152          full    100 10/100BaseTX

Fa1/0/16                     notconnect   153          full    100 10/100BaseTX

Fa1/0/17                     connected    152          full    100 10/100BaseTX

Fa1/0/18                     notconnect   153          full    100 10/100BaseTX

Fa1/0/19                     notconnect   153          full    100 10/100BaseTX

Fa1/0/20                     notconnect   153          full    100 10/100BaseTX

Fa1/0/21                     connected    154         full    100 10/100BaseTX

Fa1/0/22                        connected    154          full    100 10/100BaseTX

Fa1/0/23                     notconnect   154          full    100 10/100BaseTX

Fa1/0/24                     notconnect   154          full    100 10/100BaseTX

Fa1/0/25                     connected    154          full    100 10/100BaseTX

Fa1/0/26                     notconnect   154          full    100 10/100BaseTX

Fa1/0/27                     notconnect   154          full    100 10/100BaseTX

Fa1/0/28                     notconnect   154          full    100 10/100BaseTX

Fa1/0/29                     notconnect   154          full    100 10/100BaseTX

Fa1/0/30                     notconnect   154          full    100 10/100BaseTX

Fa1/0/31                     connected    155          full    100 10/100BaseTX

Fa1/0/32                     connected    155          full    100 10/100BaseTX

Fa1/0/33                   connected    155          full    100 10/100BaseTX

Fa1/0/34                     connected    155          full    100 10/100BaseTX

Fa1/0/35                         notconnect   155          full    100 10/100BaseTX

Fa1/0/36                      connected    155          full    100 10/100BaseTX

Fa1/0/37                     connected    155          full    100 10/100BaseTX

Fa1/0/38                     connected    155          full    100 10/100BaseTX

Fa1/0/39                     connected    155          full    100 10/100BaseTX

Fa1/0/40                     connected    155          full    100 10/100BaseTX

Fa1/0/41                     connected    151          full    100 10/100BaseTX

Fa1/0/42                     notconnect   151          full    100 10/100BaseTX

Fa1/0/43                     connected    151          full    100 10/100BaseTX

Fa1/0/44                     connected    155          full    100 10/100BaseTX

Fa1/0/45                     notconnect   1            full    100 10/100BaseTX

Fa1/0/46                     notconnect   1            full    100 10/100BaseTX

Fa1/0/47                     notconnect   1            full    100 10/100BaseTX

Fa1/0/48                   connected    151          full    100 10/100BaseTX

Gi1/0/1                      notconnect   1            auto   auto Not Present

Gi1/0/2                      notconnect   1            auto   auto Not Present

Gi1/0/3                      notconnect   1            auto   auto Not Present

Gi1/0/4                      notconnect   1            auto   auto Not Present

internet sw#sho mac address table

          Mac Address Table

                                          

Vlan    Mac Address       Type        Ports

                                          

All    0100.0ccc.cccc    STATIC      CPU

All    0100.0ccc.cccd    STATIC      CPU

All    0180.c200.0000    STATIC      CPU

All    0180.c200.0001    STATIC      CPU

All    0180.c200.0002    STATIC      CPU

All    0180.c200.0003    STATIC      CPU

All    0180.c200.0004    STATIC      CPU

All    0180.c200.0005    STATIC      CPU

All    0180.c200.0006    STATIC      CPU

All    0180.c200.0007    STATIC      CPU

All    0180.c200.0008    STATIC      CPU

All    0180.c200.0009    STATIC      CPU

All    0180.c200.000a    STATIC      CPU

All    0180.c200.000b    STATIC      CPU

All    0180.c200.000c    STATIC      CPU

All    0180.c200.000d    STATIC      CPU

All    0180.c200.000e    STATIC      CPU

All    0180.c200.000f    STATIC      CPU

All    0180.c200.0010    STATIC      CPU

All    ffff.ffff.ffff    STATIC      CPU

151    000b.cddc.47c4    DYNAMIC     Fa1/0/8

151    000c.7606.d853    DYNAMIC     Fa1/0/48

151    0012.79d3.67d6    DYNAMIC     Fa1/0/9

151    0013.21b1.d29e    DYNAMIC     Fa1/0/5

151    0018.fe78.5676    DYNAMIC     Fa1/0/41

151    001b.783a.d72c    DYNAMIC     Fa1/0/3

151    001f.29e8.1f8e    DYNAMIC     Fa1/0/43

151    0021.a0af.e8f8    DYNAMIC     Fa1/0/7

151    0024.1413.88c4    DYNAMIC     Fa1/0/10

151    03bf.0a97.0a78    STATIC      Fa1/0/8 Fa1/0/41

152    0006.53f5.e020    DYNAMIC     Fa1/0/17

152    0019.bbd2.a852    DYNAMIC     Fa1/0/11

152    001a.4b4d.ce50    DYNAMIC     Fa1/0/14

152    0021.a0af.e8fa    DYNAMIC     Fa1/0/15

152    0024.1413.88c6    DYNAMIC     Fa1/0/12

155    0013.21b1.54ae    DYNAMIC     Fa1/0/44

155    0014.384b.0ef4    DYNAMIC     Fa1/0/38

155    0015.6057.1599    DYNAMIC     Fa1/0/32

155    0019.bbd2.8c12    DYNAMIC     Fa1/0/39

155    001a.4b50.9e0e    DYNAMIC     Fa1/0/37

155    001e.0bd7.16c0    DYNAMIC     Fa1/0/34

155    0021.a0af.e8f9    DYNAMIC     Fa1/0/36

155    0024.1413.88c5    DYNAMIC     Fa1/0/33

155    0025.b320.866e    DYNAMIC     Fa1/0/40

155    0025.b321.188e    DYNAMIC     Fa1/0/31

154    001b.54df.a64a    DYNAMIC     Fa1/0/22

154    0021.a0af.e8fb    DYNAMIC     Fa1/0/25

154    0024.1413.88c7    DYNAMIC     Fa1/0/21

Total Mac Addresses for this criterion: 48

Correct Answer
Joe Clarke Mon, 02/01/2010 - 07:17

Your SNMPv3 configuration looks wrong.  You've assigned the VLAN contexts to a group, campusgroup; however, I think you wanted to assign them to MLMg.  That is, you need to use the group of which your SNMPv3 user is a member.

ohassairi Mon, 02/01/2010 - 22:39

oh yes! i forgot to change this in these switches.

thank you joe. you should change your avatar from devil to angel :-)

Actions

This Discussion