03-27-2009 01:29 PM
on my UT report I got close to 30000 devices don't have neither host name nor ip address. most of the report showed this devices attached to Wirless Access point. which is not managed by LMS.those AP's itself seen as end devices. my question is where is this mac adresses came from is that from switch or from AP's? LMS pull any mac-adress-table from AP's? I am confused and try to understand the whole science behinde user tracking. I am worried about all this unkown mac adresses breach any secutiy. I have another weired information on UT. I have a Solaris test server on my desk. ut report 6 different mac-address for the switch port my server attached too:)
any information highly apperciated.
Solved! Go to Solution.
03-27-2009 02:53 PM
As I said, if the MAC/IP shows up in a managed router's ARP cache, and UT runs an acquisition while it is there, then UT will show the IP. If the ARP entry times out before UT acquisition runs, then you will miss the IP.
UTLite on Windows end hosts is one workaround for this. UTLite will run on the end host, and send updates to Campus with the end host username, MAC, and IP. Additionally, IN CM 5.0 and higher, we have a feature called dynamic User Tracking which can update the UT database in realtime using MAC-ADDRESS-NOTIFICATION traps and DHCP snooping.
03-27-2009 01:41 PM
If the APs are not managed by LMS, then UT is getting those MACs from the upstream wired switches. In order for UT to display IPs associated with MACs, those IPs must be in the ARP tables of routers being managed by Campus Manager. Those routers must appear on the Topology Map with green router icons.
In Campus Manager 5.1, there is a new feature which allows you to track rogue MAC addresses on your network.
Are all six MAC addresses showing the same last seen time in UT? Are you using a switch or hub on your desk?
03-27-2009 01:54 PM
thanks a lot, ok about my server attached to switch, yes 5 out of 6 are the same last seen time in UT. other question upstream wire -> means a trunk port from switch to the router? so let say somebody connect to access point or access point detect any mac address from wirless client can be found on upstream wire? one thing I have notice since I did exclude AP's from LMS I got a lot of unkown mac's do you think that can be the cause. just a not 100% all my routers and switches managed by CM.
03-27-2009 02:02 PM
Is the switch reporting those five MACs in its MAC table now? If so, then UT is doing what it's supposed to.
The upstream switch is the switch to which the AP connects. Yes, if the APs are connected to the switch via an access port, then all MACs learned by the AP will appear on the wired switch port, and UT will report those MACs as being connected to that port.
Any MAC which is not showing an IP in UT is either not running IP, or no router managed by Campus Manager has that MAC in its ARP table.
03-27-2009 02:24 PM
thanks, you answered many of my concerns. one more question is about AP's we have devices using AP's for short time of period time using temporary IP address (DHCP) once they finish there job they give up the ip. do you think those device mac-address registerd on UT through the wire without the ip address since the ip is gone?
thank you so much, this is really abig help.
03-27-2009 02:53 PM
As I said, if the MAC/IP shows up in a managed router's ARP cache, and UT runs an acquisition while it is there, then UT will show the IP. If the ARP entry times out before UT acquisition runs, then you will miss the IP.
UTLite on Windows end hosts is one workaround for this. UTLite will run on the end host, and send updates to Campus with the end host username, MAC, and IP. Additionally, IN CM 5.0 and higher, we have a feature called dynamic User Tracking which can update the UT database in realtime using MAC-ADDRESS-NOTIFICATION traps and DHCP snooping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide