Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

User Tracking with FWSM

In CiscoWorks User Tracking version 3.3 all ports are tracked fine except ports on VLANs that are configured on our FWSM firewall. On those ports only the MAC address shows up, hostname IP address and subnet mask are blank.

Tried making FWSM a seed device, installed updates for CiscoWorks; nothing seems to make a difference.

Anyone ever run into the problem?

10 REPLIES
Red

Re: User Tracking with FWSM

FWSM is not supported by Campus Manager and that leads to this type of behavior.

I believe the reason is that FWSM doesn't support CDP.

Community Member

Re: User Tracking with FWSM

Perhaps they should rename the product CiscoNeverWorks

Community Member

Re: User Tracking with FWSM

Hi Nadim,

Campus Manager must support this particular case. It is becoming a very common deployment with the FWSM.

One of the typical cases is pointing all desktops to a firewall vlan interface as their default gateway.

In this case, FWSM module has the ARP entries.

FWSM must be supported as a special device and it must be treated as a router. Whenever Campus Manager comes across a 6500 device, it should check if it has an FWSM module. If so, it should read ARP from this module.

User Tracking must move away from traditional approach of just polling the routers or L2L3 switches.

Regards,

Vasanth

Community Member

Re: User Tracking with FWSM

I am facing the same problem, only the core 6513 switch vlans are showing all feilds under user tracking by LMS 2.2 , what about the vlans created on FSWM? Its not showing the IPs and other fields. Will it be supported in future or any specific version need to be upgraded?

Community Member

Re: User Tracking with FWSM

hey

any news on this one? is it still not supported?

I got the same problem.

Cisco Employee

Re: User Tracking with FWSM

FWSM support is not planned with Campus Manager since these modules do not support CDP. Without support, UT will not use the FWSM for its ARP entries.

As a workaround, you can use a small Cisco router (e.g. 2500, 1700, etc.) on the same internal interface as the FWSM. This router should have routing disabled, and its ARP timeout turned up to the maximum. It will collect quite a few ARP entries, though it won't be perfect.

Community Member

Re: User Tracking with FWSM

Hey

thx for this fast and informative reply!

how can I connect this router on the same internal interface as the FWSM? It's a 6500 switch.

So why do you say "it wont be perfect", won't I see all the ARP entries?

Thank you.

Cisco Employee

Re: User Tracking with FWSM

You would have to put the router on a switch port which is in the inside VLAN. It won't be perfect since the router won't actually be routing. It will just be listening for ARP entries.

Community Member

Re: User Tracking with FWSM

We tried to put a router into the into the transition vlan of the firewall. Is this what you meant with inside vlan?

because we don't get any arp entries with mac address and IP of end hosts in the different vlans which are routed over the Firewall.

Cisco Employee

Re: User Tracking with FWSM

Assuming your users are in subnet 10.2.1.0/24 which is VLAN 2, you would need to add the router to a port in VLAN 2. Only then would it have any chance of seeing ARP packets for 10.2.1.0/24. Of course, if you have multiple user VLANs (and you probably do) you would need one router (or one router interface) per VLAN to capture ARP packets.

225
Views
5
Helpful
10
Replies
CreatePlease to create content