×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Prime Infrastructure 2.0 and User Tracking

Answered Question
Dec 2nd, 2013
User Badges:
  • Silver, 250 points or more

Hello

I'm having a look at getting wired User Tracking working on Prime 2.0. I checked that it is supported in the following link:


http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/guide_c07-729089.html                  


I'm having a problem getting dynamic user tracking working for wired non-802.1x clients. The switches are configured for mac-notification traps and the config works fine for LMS.


Another LMS User Tracking feature I'd link to get working in Prime 2.0 is CUCM intergartion where Prime would pull IP Phone extensions/names etc from CUCM.


Are either of these User Tracking features supported in Prime 2.0 (or at least roadmapped) or should I stick with LMS 4?


Thanks

Andy

Correct Answer by Marvin Rhoads about 3 years 8 months ago

I checked another PI I have in production with a more dynamic environment and it appears to update wired clients on the polling cycle (2 hours default).


I think if you check the box under Administration > Client > Client Discovery it should poll based on receiving the traps. That feature is not enabled by default. See the tool tip in the screen shot below.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marvin Rhoads Mon, 12/02/2013 - 07:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I am gettng good non-802.1x wired user tracking info. see the screenshot below (click to expand).


I don't have a CM so I can't comment on that bit.


Row 1 in the screenshot, for example, is confirmed with the following CLI output:



User_Access#sh run int fa1/0/41

Building configuration...



Current configuration : 177 bytes

!

interface FastEthernet1/0/41

description user access

switchport access vlan 10

switchport mode access

snmp trap mac-notification change added

spanning-tree portfast

end


User_Access#sh mac address-table | i 1/0/41

  10    000f.b58e.3732    DYNAMIC     Fa1/0/41

User_Access#sh inv

NAME: "1", DESCR: "WS-C3750-48P"

PID: WS-C3750-48PS-S   , VID: V10  , SN: FDO1425X2M9


User_Access#sh ver | i bin

System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE5.bin"

User_Access#


andrewswanson Mon, 12/02/2013 - 07:14
User Badges:
  • Silver, 250 points or more

Thanks for the reply Marvin. I am getting user tracking info for wired non-802.1x clients but this is only through Prime's scheduled polling of the switches. Is your User Trackinfgi info dynamic? ie when you patch a new client into a switch does the switch generate an snmp trap that Prime 2.0 will disply in its user Tracking list (without waiting for the next scheduled polling)?


Thanks

andy

Marvin Rhoads Mon, 12/02/2013 - 09:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Good question. I don't know offhand but I'll check that the next time I am in the lab physically.

Correct Answer
Marvin Rhoads Mon, 12/02/2013 - 09:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I checked another PI I have in production with a more dynamic environment and it appears to update wired clients on the polling cycle (2 hours default).


I think if you check the box under Administration > Client > Client Discovery it should poll based on receiving the traps. That feature is not enabled by default. See the tool tip in the screen shot below.


andrewswanson Mon, 12/02/2013 - 10:38
User Badges:
  • Silver, 250 points or more

Thanks for that. I'm out the office for a few days and I'll try that on my return.

Cheers

Andy

andrewswanson Wed, 12/04/2013 - 05:37
User Badges:
  • Silver, 250 points or more

I enabled "Poll clients when client traps/syslogs received" in Prime and tested switches by deleting the dynamic macs from them to generate traps. Tried this on various switches/ios versions:


Switch 1: WS-C2960-24PC-L c2960-lanbasek9-mz.122-55.SE6.bin



  • IP/MACs of clients learned by Prime through regular polling
  • Once Prime was enabled for dynamic client learning:
    • deleted dynamic learned macs on switches
    • Prime dynamically updates it association times for clients accordingly


Switch 2: WS-C2960-48PST-L c2960-lanbasek9-mz.122-52.SE.bin

  • Only MACs of clients learned by Prime through regular polling - no IP addresses
  • Once Prime was enabled for dynamic client learning:
    • deleted dynamic learned macs on switches
    • Prime dynamically updates it association times for clients accordingly
    • Prime still not picking up IP addresses


Switch 3: WS-C2950T-24 c2950-i6k2l2q4-mz.121-22.EA14.bin



  • Only MACs of clients learned by Prime through regular polling - no IP addresses
  • Once Prime was enabled for dynamic client learning:
    • deleted dynamic learned macs on switches
    • Prime dynamically learned any new mac addresses but didn't update the association time for previously learned mac addresses
    • Prime still not picking up IP addresses


All the switches above are configured for ip dhcp snooping and work well with lms3.2 for dynamic user tracking. Not sure why 2 of the switches don't display IP addresses in Prime - will upgrade the ios on the 2960 to see if this makes a difference.


Also added callmanager to Prime 2 but no sign of it matching discovered IP phones to extensions etc. I'll install LMS4.2 to see if this works.


So in short, enabling the "Poll clients when client traps/syslogs received" option in Prime works with mac-notification on the switches with the caveats above.


Thanks

Andy

Marvin Rhoads Wed, 12/04/2013 - 06:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Good info to know - thanks for the follow up. +5


If you're running a non-eval Prime with support I'd suggest a TAC case - I'd be very interested to see if they have a matrix of which versions of IOS do and do not support the feature.


I'm not surprised that some older IOS versions don't support all the nicer features. we run into this quite a bit when deploying ISE - another product that leverages some of the most recent IOS features.

andrewswanson Wed, 12/04/2013 - 06:11
User Badges:
  • Silver, 250 points or more

Thanks for your help with this Marvin. Prime is on contract so I will be contacting TAC soon (we have quite a few 2950s which I know are EoL but I find the dynamic user tracking very useful on these switches). I'm in the process of installing LMS4.2 to test the CM integration which is very useful - this worked well with LMS3.2 and CM 7.X but 'broke' when we moved to CM 8.X. It'll be intersting to see if this works in LMS4.2. Will post back any updates.

Cheers

Andy

andrewswanson Fri, 01/03/2014 - 08:05
User Badges:
  • Silver, 250 points or more

I added subsequent switches (same models and IOS) and didn't experience any problems with dynamic user tracking. I deleted and added the original switches back and they also started to work ok with dynamic user tracking. I added these switches via bulk import and set snmp timeout and retries to 30 and 3 respectively so maybe that was what made the difference.


I contacted our cisco partner about Prime Infrastructure 2.0 integration with cucm and they suggested having a look at Cisco Prime Collaboration. This looks like a huge (and expensive) product. I'll contact cisco pre-sales for other suggestions.


Cheers
Andy

Actions

This Discussion