Solved: Re: UT for hosts in DMZ

ohassairi · ‎01-26-2010

hello

CWLMS 3.2 can see most of computers in UT end host.

However we have some servers that it cannot see. These one are located in ASA firewall DMZs.

Is this normal ? or is there any way to let it see these servers?.

Notes:

1- CW can ping these servers

2- These servers are connected to discovered Cisco switches

Joe Clarke · ‎02-01-2010

Your SNMPv3 configuration looks wrong. You've assigned the VLAN contexts to a group, campusgroup; however, I think you wanted to assign them to MLMg. That is, you need to use the group of which your SNMPv3 user is a member.

View solution in original post

Joe Clarke · ‎01-26-2010

These end hosts should be visible in UT provided the switches are data collected by Campus, and show up as green on the Campus topology map. In other words, there should be nothing different between UT getting end hosts from these switches vs. any others on the network. The only problem you may see is that UT will not get their IP addresses as it sounds like the ASA is routing for these DMZs, and Campus does not support firewalls for getting the ARP table.

ohassairi · ‎01-27-2010

yes joe

for routers connected to this switch, i can see them green in campus topology map.

however if i search for windows PC in this switch, using user tracking or UT End Host Report i can't find any PC!!!.

so if i understand your answer, this is normal and there is no workaround ! isn't it?

Joe Clarke · ‎01-27-2010

Routers or switches? End hosts connected to routers (even those with switch modules) will not show up in UT. End hosts connected to switches should show up, but you may only be able to search for them by MAC address.

ohassairi · ‎01-27-2010

hi joe

no, i am not speaking about end hosts connected to routers. i am searching for our public servers connected to DMZ using VLANs in one discovered switch.

well, i tried seraching them by MAC address but i can't find any one!

Joe Clarke · ‎01-29-2010

Post a show run and show ver from one affected DMZ switch. Also post the "show int status" and "show mac-address-table" outputs from this switch. From the server, post the NMSROOT/campus/etc/cwsi/portsData.xml and vlanData.xml files.

ohassairi · ‎01-30-2010

attached file contains the requested infos for switch 10.151.50.1

ohassairi · ‎01-30-2010

Sho version

internet sw#sho version

Cisco IOS Software, C3750 Software (C3750 IPBASE M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)

Compiled Thu 19 Jul 07 19:15 by nachen

Image text base: 0x00003000, data base: 0x01080000

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750 HBOOT M) Version 12.2(25r)SEC, RELEASE SOFTWARE (fc4)

internet sw uptime is 2 weeks, 4 days, 19 hours, 47 minutes

System returned to ROM by power on

System restarted at 11:09:56 UTC Tue Jan 12 2010

System image file is "flash:c3750 ipbase mz.122 35.SE5/c3750 ipbase mz.122 35.SE5.bin"

cisco WS C3750 48P (PowerPC405) processor (revision M0) with 118784K/12280K bytes of memory.

Processor board ID FDO1302X0WD

Last reset from power on

3 Virtual Ethernet interfaces

48 FastEthernet interfaces

4 Gigabit Ethernet interfaces

The password recovery mechanism is enabled.

512K bytes of flash simulated non volatile configuration memory.

Base ethernet MAC Address : 00:24:97:B5:72:80

Motherboard assembly number : 73 9675 13

Power supply part number : 341 0029 05

Motherboard serial number : FDO13020M0B

Power supply serial number : LIT12490CVL

Model revision number : M0

Motherboard revision number : B0

Model number : WS C3750 48PS S

System serial number : FDO1302X0WD

SFP Module assembly part number : 73 7757 03

SFP Module revision Number : A0

SFP Module serial number : FDO13020CND

Top Assembly Part Number : 800 25858 04

Top Assembly Revision Number : C0

Version ID : V06

CLEI Code Number : COMUX10ARA

Hardware Board Revision Number : 0x01

Switch Ports Model SW Version SW Image

* 1 52 WS C3750 48P 12.2(35)SE5 C3750 IPBASE M

Configuration register is 0xF

Sho run

hostname internet sw

!

enable secret xxxxxxxxxxxxxxxxxxxx

!

username swadmin password 7 xxxxxxxxxxxxxxxxx

!

aaa session id common

switch 1 provision ws c3750 48p

system mtu routing 1500

vtp mode transparent

ip subnet zero

!

no file verify auto

!

spanning tree mode pvst

spanning tree extend system id

no spanning tree vlan 1

!

vlan internal allocation policy ascending

!

vlan 151 155

!

interface FastEthernet1/0/1

switchport access vlan 151

speed 100

duplex full

spanning tree portfast

!

interface FastEthernet1/0/2

switchport access vlan 151

speed 100

……………………

!

interface FastEthernet1/0/47

speed 100

duplex full

!

interface FastEthernet1/0/48

description PDM

switchport access vlan 151

speed 100

duplex full

spanning tree portfast

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface Vlan1

no ip address

no ip route cache

shutdown

!

interface Vlan151

ip address 10.151.50.1 255.255.0.0

no ip route cache

!

interface Vlan154

no ip address

no ip route cache

shutdown

!

ip default gateway 10.w.w.w

ip classless

!

ip access list standard SNMP SERVERS

permit 10.x.y.z

permit 10.x.y.t

!

logging trap debugging

logging 10.x.y.z

access list 1 permit 10.x.y.z

snmp server engineID local 000000090200003085F0F480

snmp server group MLMg v3 auth access SNMP SERVERS

snmp server group MLMu_2oo9 v3 auth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F

snmp server group campusgroup v3 auth context DMZ read campusview write campusview

snmp server group campusgroup v3 auth context vlan 1 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 151 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 152 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 154 read campusview write campusview

snmp server group campusgroup v3 auth context vlan 155 read campusview write campusview

snmp server view campusview internet included

snmp server location Internet Edge

snmp server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp server enable traps tty

snmp server enable traps cluster

snmp server enable traps fru ctrl

snmp server enable traps entity

snmp server enable traps cpu threshold

snmp server enable traps power ethernet group 1 9

snmp server enable traps vtp

snmp server enable traps vlancreate

snmp server enable traps vlandelete

snmp server enable traps flash insertion removal

snmp server enable traps port security

snmp server enable traps envmon fan shutdown supply temperature status

snmp server enable traps mac notification

snmp server enable traps stackwise

snmp server enable traps license

snmp server enable traps config copy

snmp server enable traps config

snmp server enable traps hsrp

snmp server enable traps rtr

snmp server enable traps bridge newroot topologychange

snmp server enable traps stpx inconsistency root inconsistency loop inconsistency

snmp server enable traps syslog

snmp server enable traps vlan membership

snmp server host 10.x.y.z version 3 auth MLMu_2oo9

tacacs server host 10.e.e.e. key 7 qqqqqq

tacacs server directed request

radius server source ports 1645 1646

!

control plane

!

internet sw#sho interfaces status

Port Name Status Vlan Duplex Speed Type

Fa1/0/1 notconnect 151 full 100 10/100BaseTX

Fa1/0/2 notconnect 151 full 100 10/100BaseTX

Fa1/0/3 connected 151 full 100 10/100BaseTX

Fa1/0/4 notconnect 151 full 100 10/100BaseTX

Fa1/0/5 connected 151 full 100 10/100BaseTX

Fa1/0/6 notconnect 151 full 100 10/100BaseTX

Fa1/0/7 connected 151 full 100 10/100BaseTX

Fa1/0/8 connected 151 full 100 10/100BaseTX

Fa1/0/9 connected 151 full 100 10/100BaseTX

Fa1/0/10 connected 151 full 100 10/100BaseTX

Fa1/0/11 connected 152 full 100 10/100BaseTX

Fa1/0/12 connected 152 full 100 10/100BaseTX

Fa1/0/13 notconnect 152 full 100 10/100BaseTX

Fa1/0/14 connected 152 full 100 10/100BaseTX

Fa1/0/15 connected 152 full 100 10/100BaseTX

Fa1/0/16 notconnect 153 full 100 10/100BaseTX

Fa1/0/17 connected 152 full 100 10/100BaseTX

Fa1/0/18 notconnect 153 full 100 10/100BaseTX

Fa1/0/19 notconnect 153 full 100 10/100BaseTX

Fa1/0/20 notconnect 153 full 100 10/100BaseTX

Fa1/0/21 connected 154 full 100 10/100BaseTX

Fa1/0/22 connected 154 full 100 10/100BaseTX

Fa1/0/23 notconnect 154 full 100 10/100BaseTX

Fa1/0/24 notconnect 154 full 100 10/100BaseTX

Fa1/0/25 connected 154 full 100 10/100BaseTX

Fa1/0/26 notconnect 154 full 100 10/100BaseTX

Fa1/0/27 notconnect 154 full 100 10/100BaseTX

Fa1/0/28 notconnect 154 full 100 10/100BaseTX

Fa1/0/29 notconnect 154 full 100 10/100BaseTX

Fa1/0/30 notconnect 154 full 100 10/100BaseTX

Fa1/0/31 connected 155 full 100 10/100BaseTX

Fa1/0/32 connected 155 full 100 10/100BaseTX

Fa1/0/33 connected 155 full 100 10/100BaseTX

Fa1/0/34 connected 155 full 100 10/100BaseTX

Fa1/0/35 notconnect 155 full 100 10/100BaseTX

Fa1/0/36 connected 155 full 100 10/100BaseTX

Fa1/0/37 connected 155 full 100 10/100BaseTX

Fa1/0/38 connected 155 full 100 10/100BaseTX

Fa1/0/39 connected 155 full 100 10/100BaseTX

Fa1/0/40 connected 155 full 100 10/100BaseTX

Fa1/0/41 connected 151 full 100 10/100BaseTX

Fa1/0/42 notconnect 151 full 100 10/100BaseTX

Fa1/0/43 connected 151 full 100 10/100BaseTX

Fa1/0/44 connected 155 full 100 10/100BaseTX

Fa1/0/45 notconnect 1 full 100 10/100BaseTX

Fa1/0/46 notconnect 1 full 100 10/100BaseTX

Fa1/0/47 notconnect 1 full 100 10/100BaseTX

Fa1/0/48 connected 151 full 100 10/100BaseTX

Gi1/0/1 notconnect 1 auto auto Not Present

Gi1/0/2 notconnect 1 auto auto Not Present

Gi1/0/3 notconnect 1 auto auto Not Present

Gi1/0/4 notconnect 1 auto auto Not Present

internet sw#sho mac address table

Mac Address Table

Vlan Mac Address Type Ports

All 0100.0ccc.cccc STATIC CPU

All 0100.0ccc.cccd STATIC CPU

All 0180.c200.0000 STATIC CPU

All 0180.c200.0001 STATIC CPU

All 0180.c200.0002 STATIC CPU

All 0180.c200.0003 STATIC CPU

All 0180.c200.0004 STATIC CPU

All 0180.c200.0005 STATIC CPU

All 0180.c200.0006 STATIC CPU

All 0180.c200.0007 STATIC CPU

All 0180.c200.0008 STATIC CPU

All 0180.c200.0009 STATIC CPU

All 0180.c200.000a STATIC CPU

All 0180.c200.000b STATIC CPU

All 0180.c200.000c STATIC CPU

All 0180.c200.000d STATIC CPU

All 0180.c200.000e STATIC CPU

All 0180.c200.000f STATIC CPU

All 0180.c200.0010 STATIC CPU

All ffff.ffff.ffff STATIC CPU

151 000b.cddc.47c4 DYNAMIC Fa1/0/8

151 000c.7606.d853 DYNAMIC Fa1/0/48

151 0012.79d3.67d6 DYNAMIC Fa1/0/9

151 0013.21b1.d29e DYNAMIC Fa1/0/5

151 0018.fe78.5676 DYNAMIC Fa1/0/41

151 001b.783a.d72c DYNAMIC Fa1/0/3

151 001f.29e8.1f8e DYNAMIC Fa1/0/43

151 0021.a0af.e8f8 DYNAMIC Fa1/0/7

151 0024.1413.88c4 DYNAMIC Fa1/0/10

151 03bf.0a97.0a78 STATIC Fa1/0/8 Fa1/0/41

152 0006.53f5.e020 DYNAMIC Fa1/0/17

152 0019.bbd2.a852 DYNAMIC Fa1/0/11

152 001a.4b4d.ce50 DYNAMIC Fa1/0/14

152 0021.a0af.e8fa DYNAMIC Fa1/0/15

152 0024.1413.88c6 DYNAMIC Fa1/0/12

155 0013.21b1.54ae DYNAMIC Fa1/0/44

155 0014.384b.0ef4 DYNAMIC Fa1/0/38

155 0015.6057.1599 DYNAMIC Fa1/0/32

155 0019.bbd2.8c12 DYNAMIC Fa1/0/39

155 001a.4b50.9e0e DYNAMIC Fa1/0/37

155 001e.0bd7.16c0 DYNAMIC Fa1/0/34

155 0021.a0af.e8f9 DYNAMIC Fa1/0/36

155 0024.1413.88c5 DYNAMIC Fa1/0/33

155 0025.b320.866e DYNAMIC Fa1/0/40

155 0025.b321.188e DYNAMIC Fa1/0/31

154 001b.54df.a64a DYNAMIC Fa1/0/22

154 0021.a0af.e8fb DYNAMIC Fa1/0/25

154 0024.1413.88c7 DYNAMIC Fa1/0/21

Total Mac Addresses for this criterion: 48

Joe Clarke · ‎02-01-2010

Your SNMPv3 configuration looks wrong. You've assigned the VLAN contexts to a group, campusgroup; however, I think you wanted to assign them to MLMg. That is, you need to use the group of which your SNMPv3 user is a member.

ohassairi · ‎02-01-2010

oh yes! i forgot to change this in these switches.

thank you joe. you should change your avatar from devil to angel :-)

ohassairi · ‎01-31-2010

i was not able to attach portdata and vlandata details. so i publish them here:

http://hassairi.50megs.com/files.html