Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

LMS/L2 sw

hello

suppose i have cw LMS connected to a L2 switch. this sw has int vlan 1 shutdown and an IP address in vlan2. cw has an IP in same subnet as int VLAN 2.

v3 exists also in the switch.

can cw/lms track computers in vlan 2 and 3? ie: can we obtain the list of computers attached in each port in this switch?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: LMS/L2 sw

Say a switch has it's management interface in VLAN 2. However, you have access ports on that switch in VLAN 3. User Tracking will walk the BRIDGE-MIB for each VLAN on the switch, and get all connected MAC addresses. It will then query all routers which have interfaces in those same VLANs (i.e. VLANs 2 and 3). It will pull the ARP table from each router, then match the MAC addresses from the ARP table entries up with the MAC addresses from the BRIDGE-MIB entries.

Therefore, each router on every subnet must be managed bu Campus Manager in order for User Tracking to map MAC addresses to IP addresses.

Cisco Employee

Re: LMS/L2 sw

This will not work. The PIX, FWSM, and ASA devices are not supported by Campus Manager, and will not work as routers for UT. What you could do is put another, supported router on the same subnet, and have it act as the default gateway, but simply redirect hosts to the PIX. This device would cache ARP entries, and would allow UT to show MAC addresses with IPs. This is what I do in my lab, and it works quite well.

21 REPLIES
Cisco Employee

Re: LMS/L2 sw

What model of switch?

Re: LMS/L2 sw

it is for all devices, which includes, 2960, 3550,3750,6509 series switches and 3845,7200,2811 routers also. for no device i am getting Management task menue and other report sub menues.

Cisco Employee

Re: LMS/L2 sw

All of these switches can be made to work with User Tracking and SNMPv3. However, you must be running recent IOS, and you must have configured VLAN contexts for your SNMPv3 group. If your switches are running code which supports SNMPv3 contexts, you can run "show snmp context" to get a list of contexts. You must allow your SNMPv3 group to poll each context. For example:

snmp-server group v3group v3 auth context vlan-10

If your switches do not support the "show snmp context" command, then you will need to upgrade. The desktop switches must be running 12.2(25)SEE or higher. The 6509 needs to be running 12.2(18)SXF or higher.

Re: LMS/L2 sw

All my switches and routers are using IOS abobe 12.3x and cisco works was working fine with this. just due to Server Upgradation I had to install this freshly in a new server. After that only this problem is comming. Infact I had added the devices to DCR through bulk import and User tracking , i have not configured till yet. Do I need to enable SNMP v3 on all devices for this???

Cisco Employee

Re: LMS/L2 sw

It occurred to me, you're replying on the wrong thread.

Re: LMS/L2 sw

I am really very sorry for this.

Silver

Re: LMS/L2 sw

thank you for the help, but i think i must first understand snmp v3 and snmp context because i am not familiar with them.

can you explain it briefly or suggest a link?

Cisco Employee

Re: LMS/L2 sw

This talks about contexts as they apply to MPLS VPNs, but the concept with VLANs is the same:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtsnmpvp.html

Silver

Re: LMS/L2 sw

hi jclarke

i am afraid you consider the "v3" in my question as "version3". in fact i mean VLAN3.

so please can you review my question: can cwlms track users (IP/MAC@/port) that are in one L2 vlan different from the vlan to witch is connected ?

Cisco Employee

Re: LMS/L2 sw

Sure, this is possible. User Tracking will walk the MAC tables from each VLAN on the switch using community string indexing (if you are using SNMPv1/v2c). This means that community strings on Cisco switches CANNOT contain '@' characters.

Silver

Re: LMS/L2 sw

ok for MAC addresses, but for IPs (that belongs to different subnets) i think it can't.

can we say that lms must have the ability to ping computers, in order to get them in end hosts details?

Cisco Employee

Re: LMS/L2 sw

No, UT can get IP addresses for end hosts on any subnet provided the router for that subnet has been properly Data Collected. While the duplicate resolution code in UT does rely on ping to weed out old duplicate entries, you can specify which IPs cannot be pinged by listing them in the UTNoICMPCheckHostAddress property in NMSROOT/campus/etc/cwsi/ut.properties.

Silver

Re: LMS/L2 sw

you said " UT can get IP addresses for end hosts on any subnet provided the router for that subnet has been properly Data "

i didn't understand your sentence. can you explain more.

thanks

Cisco Employee

Re: LMS/L2 sw

Say a switch has it's management interface in VLAN 2. However, you have access ports on that switch in VLAN 3. User Tracking will walk the BRIDGE-MIB for each VLAN on the switch, and get all connected MAC addresses. It will then query all routers which have interfaces in those same VLANs (i.e. VLANs 2 and 3). It will pull the ARP table from each router, then match the MAC addresses from the ARP table entries up with the MAC addresses from the BRIDGE-MIB entries.

Therefore, each router on every subnet must be managed bu Campus Manager in order for User Tracking to map MAC addresses to IP addresses.

Silver

Re: LMS/L2 sw

thank you very much for clarifications.

in my situation, i have a PIX firewall that has DMZ interfaces in vlan 3,4 , 5...

so i think it's the same thing as router. CW should query ARP table in firewall.

my firewall is managed by CW, and in end host report, i can see MAC addresses in each switch-port but in IP column, i only get IP addresses of 2 devices!

may be i should increase ARP timeout in PIX?

Cisco Employee

Re: LMS/L2 sw

This will not work. The PIX, FWSM, and ASA devices are not supported by Campus Manager, and will not work as routers for UT. What you could do is put another, supported router on the same subnet, and have it act as the default gateway, but simply redirect hosts to the PIX. This device would cache ARP entries, and would allow UT to show MAC addresses with IPs. This is what I do in my lab, and it works quite well.

Silver

Re: LMS/L2 sw

thanks joe.

i hope cisco will integrate firewalls in campus manager for next LMS versions.

because i can't add a rtr for every DMZ.

thanks again.

Cisco Employee

Re: LMS/L2 sw

Firewall device support is not planned as they do not support CDP.

New Member

Re: LMS/L2 sw

HI Joseph

Have this been resloved in LMS v4.0.1?

I have an ASA 5580 as a gateway for all users, Can we retrieve the ARP information from it in order to support User Tracking?

Regards,

Georges

Hall of Fame Super Silver

Re: LMS/L2 sw

Cisco firewalls (ASA, FWSM, or Pix) continue to not be supported for collection of UT data with CiscoWorks LMS (of any release level).

As Joe stated in the earlier sections of this thread, no support is planned since those devices do not support (enough of) the fundamental technologies that LMS uses to gather UT data.

Cisco Employee

Re: LMS/L2 sw

Yes, this is correct.  Firewalls are still not supported in Campus/Topology and UT.  These firewalls do not support the at or ipNetToMediaTables anyway in order to provide ARP information via SNMP.

315
Views
14
Helpful
21
Replies
CreatePlease to create content