WCS MSE Help

Answered Question
Mar 24th, 2010

I’m trying to synchronize one of our switches with the WCS/MSE (Version 6 on the WCS).  I’ve added it onto the WCS and the MSE says it synchronizes properly but when I go into the SERVICES/MOBILITY SERVICES and look at the switch it is just showing the IP address.  It’s not showing any of the ports or any information at all on the switch.  I have the RW snmp string for the switch.  Any ideas?

I have this problem too.
0 votes
Correct Answer by sschmidt about 6 years 8 months ago

Well that is a complex question but let's start with making sure that you meet the requirements for it to work:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpxref43135

Switch Port Trace

The Switch Port Trace page allows you to run a trace on detected rogue access points on the wire.

To correctly trace and contain rogue access points, you must correctly provide the following information.

Reporting APs—A rogue access point has to be reported by one or more managed access points.

AP CDP Neighbor—Access point CDP neighbor information is required to determine the seed switches.

Switch IP address and SNMP credentials—All switches to be traced must have a management IP address and SNMP management enabled. You can add network address based entries instead of only adding individual switches. The correct write community string must be specified to enable/disable switch ports. For tracing, read community strings are sufficient.

Switch port configuration—Trunking switch ports must be correctly configured. Switch port security must be turned off.

Only Cisco Ethernet switches are supported.

Switch VLAN settings must be properly configured.

CDP protocol must be enabled on all switches.

An Ethernet connection must exist between the rogue access point and the Cisco switch.

You should have some traffic between rogue access points and the Ethernet switch.

The rogue access point must be connected to a switch within the max hop limit. The default hop count is 2, and the maximum is 10.

If SNMPv3 is chosen, use the context option and create one for each VLAN, in addition to the one for the main group (which is required for non-VLAN-based MIBs).

Follow these steps to specify options for switch port tracing.

Using switch port tracing:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0ctrlcfg.html#wpmkr1083367

After you meet all requirements the logs are your best bet for determining why it is not working.  They are usually pretty good at leading you to the problem.

You would go to Administration > Logging and uncheck Status Polling, Configuration, SNMP Mediation, MSE/Location Servers, XML
Mediation, Navigator, Reports and Database Administration and change the message level to TRACE and click submit.  Go back and recreate the issue
and then go back to the logging area and download the logs.

If you get the logs right after the test it should be in the wcs-0-0.log file and you will want to go from the bottom up and search for something like "

Switch port tracing failed".  Around there will be why it failed.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhopper82 Wed, 03/24/2010 - 07:58

I'm trying to connect into a 4506 switch running 12.2(25)EWA5..

sschmidt Thu, 03/25/2010 - 06:32

Hello,

The feature is not for management of the switch like what LMS does.  It is for switch port tracing and uses SNMP to poll the cam table to look for rogues in the table.  What you are seeing is what you should see.

dhopper82 Thu, 03/25/2010 - 06:49

Okay, that makes sense.  What do I have to do to get the port trace to work?  Every time I do it says the port trace failed. 

Correct Answer
sschmidt Thu, 03/25/2010 - 07:04

Well that is a complex question but let's start with making sure that you meet the requirements for it to work:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpxref43135

Switch Port Trace

The Switch Port Trace page allows you to run a trace on detected rogue access points on the wire.

To correctly trace and contain rogue access points, you must correctly provide the following information.

Reporting APs—A rogue access point has to be reported by one or more managed access points.

AP CDP Neighbor—Access point CDP neighbor information is required to determine the seed switches.

Switch IP address and SNMP credentials—All switches to be traced must have a management IP address and SNMP management enabled. You can add network address based entries instead of only adding individual switches. The correct write community string must be specified to enable/disable switch ports. For tracing, read community strings are sufficient.

Switch port configuration—Trunking switch ports must be correctly configured. Switch port security must be turned off.

Only Cisco Ethernet switches are supported.

Switch VLAN settings must be properly configured.

CDP protocol must be enabled on all switches.

An Ethernet connection must exist between the rogue access point and the Cisco switch.

You should have some traffic between rogue access points and the Ethernet switch.

The rogue access point must be connected to a switch within the max hop limit. The default hop count is 2, and the maximum is 10.

If SNMPv3 is chosen, use the context option and create one for each VLAN, in addition to the one for the main group (which is required for non-VLAN-based MIBs).

Follow these steps to specify options for switch port tracing.

Using switch port tracing:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0ctrlcfg.html#wpmkr1083367

After you meet all requirements the logs are your best bet for determining why it is not working.  They are usually pretty good at leading you to the problem.

You would go to Administration > Logging and uncheck Status Polling, Configuration, SNMP Mediation, MSE/Location Servers, XML
Mediation, Navigator, Reports and Database Administration and change the message level to TRACE and click submit.  Go back and recreate the issue
and then go back to the logging area and download the logs.

If you get the logs right after the test it should be in the wcs-0-0.log file and you will want to go from the bottom up and search for something like "

Switch port tracing failed".  Around there will be why it failed.
dhopper82 Thu, 03/25/2010 - 07:13

Thanks SSchmidt,  I know what's going on now.  THe switches the AP's that detected it are on aren't added in the WCS so therefore are not able to perform as needed to do a switch trace.  Thanks!

dhopper82 Thu, 03/25/2010 - 07:54

Yep, that worked.  As soon as I put an AP on the switch that the "malicious" AP was on it was able to work.

dhopper82 Thu, 03/25/2010 - 07:05

Oh, I need to mention that I've added one switch to WCS (sync'd it with the MSE) and have an AP plugged into it that WCS is considered malicious.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode