Hello,

We have a problem with Clients and Users Monitoring in Cisco Prime Infrastructure.

Let me give you more light about the situation:

We are in a process of a full network migration to a more secured infrastructure.

There is an implemented dot1x authentication for wired users and when the client is authenticated, he is put in a vlan, transported to a Nexus switch, acting as a gateway. The vlan interfaces are isolated in VRFs with the idea to transport the client traffic to a FW for inter-vlan routing, policing and inspection.

If a user is unauthenticated in dot1x, the default "switchport access vlan" still stays on an old gateway Cisco 6500 switch, which is doing all the job without vrf separation.

Operationally this works well so far and we reached the point to migrate the unauthenticated users to different VRFs in the new infrastructure with limited access.

The problem is that for management and visibility of the clients, we use Cisco prime infrastructure and it is giving us wrong information: it's not getting the real IP addresses which the authenticated clients receive after CoA. For the clients we see the new VLANs and the IP addresses which the old Cisco 6500 SW have in its arp table before the authentication.

Just found that bug may be the issue: CSCuz20033

Is there a workaround to make the Cisco prime infrastructure to capture the "show ip arp vrf all" instead of just "show ip arp" in order to have the full picture in place?

P.S. CPI is version 3.3