We have a substantial amount of properties segmented off by cisco asa and UDT can't pull ARP information like it can on a switch/router. Is there any plan to better poll ASA?
Couldn't agree more. One thing that has helped in the mean time is having DHCP Snooping enabled on a switch behind the ASA so that the ARP table can be gathered. Not 100% effective, but, at least it is something.
A question for the product manager's.
Will it pull this information from IPAM if it's monitoring DHCP on an Cisco ASA (or an Windows DHCP server)? Currently I'm starting to set up UDT and I'm seeing patchy mapping of MAC addresses to IP addresses. This seems to be down to different hardware at different sites (i.e. L3 Cisco switches as the default gateway vs ASA's).
It would seem that only physical addresses of the ASA are supported in that required MIB. Looks like a very deliberate choice to not supply all of the information, so I'm unsure if Cisco will add support.
I think UDT being able to map Mac addresses via DHCP bindings in IPAM would be the best work around for the lack of information from the ASA. It'll also allow mapping in other situations where the default gateway is another system that does not supply the required information.
I agree here.
The ASA is a security device first and foremost. SNMP can be considered a security risk, as could exposing IP/MAC Addresses. Now, I know it functions as a router on many levels, but it is not one. I'm assuming many of these decisions are made to help better secure the networks it serves.
Another issue that I have with Cisco's lack of SNMP support on ASAs is that they don't accept SNMP write commands on v1, v2c, or v3. As stated here:
Would love to see if SW Community has any sway with Cisco Engineers.
I would also love this feature, we are in a unique situation. Most of our non Enterprise networks (Manufacturing Networks) sits behind Firewalls.
We have about 60 Cisco ASA Firewalls each with at least 2 routable subnets and using UDT we cannot retreive the IP's duo to the ASA's SNMP limitations due to security risk etc.
But we also have NCM and retreiving arp with a ssh session should be possible.
I would also like to add my desire for this feature. We are limited on IP address tracking for hundreds of devices in our datacenters because of it. I would add that using VRF's, where ARP information is on the routers has been a workaround.
I agree, NCM can execute command lines using SSH/Telnet against the devices and use the output for configuration capture, etc. it seems there should be an opportunity for those with UDT/NCM licenses to potentially gather ARP information that way.
We definitely hear you and understand this request. Unfortunately Cisco doesn't expose the data we need via SNMP so it's much more complicated than adding some additional internal pollers.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.