In CiscoWorks User Tracking version 3.3 all ports are tracked fine except ports on VLANs that are configured on our FWSM firewall. On those ports only the MAC address shows up, hostname IP address and subnet mask are blank.
Tried making FWSM a seed device, installed updates for CiscoWorks; nothing seems to make a difference.
Anyone ever run into the problem?
Campus Manager must support this particular case. It is becoming a very common deployment with the FWSM.
One of the typical cases is pointing all desktops to a firewall vlan interface as their default gateway.
In this case, FWSM module has the ARP entries.
FWSM must be supported as a special device and it must be treated as a router. Whenever Campus Manager comes across a 6500 device, it should check if it has an FWSM module. If so, it should read ARP from this module.
User Tracking must move away from traditional approach of just polling the routers or L2L3 switches.
I am facing the same problem, only the core 6513 switch vlans are showing all feilds under user tracking by LMS 2.2 , what about the vlans created on FSWM? Its not showing the IPs and other fields. Will it be supported in future or any specific version need to be upgraded?
FWSM support is not planned with Campus Manager since these modules do not support CDP. Without support, UT will not use the FWSM for its ARP entries.
As a workaround, you can use a small Cisco router (e.g. 2500, 1700, etc.) on the same internal interface as the FWSM. This router should have routing disabled, and its ARP timeout turned up to the maximum. It will collect quite a few ARP entries, though it won't be perfect.
thx for this fast and informative reply!
how can I connect this router on the same internal interface as the FWSM? It's a 6500 switch.
So why do you say "it wont be perfect", won't I see all the ARP entries?
You would have to put the router on a switch port which is in the inside VLAN. It won't be perfect since the router won't actually be routing. It will just be listening for ARP entries.
We tried to put a router into the into the transition vlan of the firewall. Is this what you meant with inside vlan?
because we don't get any arp entries with mac address and IP of end hosts in the different vlans which are routed over the Firewall.
Assuming your users are in subnet 10.2.1.0/24 which is VLAN 2, you would need to add the router to a port in VLAN 2. Only then would it have any chance of seeing ARP packets for 10.2.1.0/24. Of course, if you have multiple user VLANs (and you probably do) you would need one router (or one router interface) per VLAN to capture ARP packets.