Hmm... I'm a bit confused as to what you're asking. But let's go through the basics. Its actually quite simple - UDT just maintains databases from several sources and correlates them to give you useful info. So, it gets MAC address tables from switches, ARP tables from routers, and reads the AD authentication logfiles to get usernames...
UDT basically polls the switch to see what devices are connected to what switchports. However, it only looks at the switchports you tell it to monitor not the whole switch necessarily.
So, lets say you have switch A connected to switch B via G0/1, and on fa0/1 on each switch you have a device connected. The MAC addresses of the device is aaaa.aaaa.aaaa on switch A and bbbb.bbbb.bbbb on switch B.
If you monitor all ports via UDT, you will potentially see aaaa.aaaa.aaaa on Switch A port fa0/1 AND on Switch B, port g0/1. You will see bbbb.bbbb.bbbb on Switch B port fa0/1 AND on Switch A, port g0/1. This is because the MAC address of these devices will not only potentially be on the actual switchport to which they are connected, but also on the uplink to the other switch. Does that make sense? If you don't want UDT to report on the uplink ports, don't monitor them in UDT. Now, I say potentially in these cases because if for some reason the device isn't active enough to stay in the MAC address table on the device, there is no way for UDT to find it.
Now, if you want UDT to report on the IP address of these devices, you would need to monitor whatever router(s) do the routing for this network. Whether it be a Layer-3 switch or an actual router, you will need to manage it so it can get to the ARP table on that device.
Then, if you want UDT to report on the User(s) that have logged into the devices, you would need to add the AD servers that process the login requests from the devices.
That explanation helps, thank you very much. However, in my case, what I am seeing does not match your description. I have 2 switches connected via an uplink and each switch has a single device connected. The two devices are pinging each other. Both switches have both device's MAC in their ARP cache (as well as advertised in their dot1dTpFdbTable). Each switch shows the directly connected device on the appropriate port and the device connected to the opposite switch on the "uplink" port. I tell the UDP application to monitor these two MACs. I'm looking at the "Test List" output on the dashboard and it shows me that both MACs are connected to switch A, one on the access port, the other on the uplink. This is not wrong (as these MACs are presented this way i the MIB) but switch B is not shown at all. My initial feeling is that each device would be shown where it connects to the network (although I do understand more info is needed for SolarWinds to figure this out).
Now, if I dig deeper and look at switch B and the known port this MAC is connected to, and I see it is reported there as well, but I have go digging for it (which is not ideal).
Furthermore, when the dashboard refreshes, sometimes the output stays the same, other times, the MACs are shown to have moved both over the switch B (again, the correct ports on switch B). To a casual observer, this could be concerning witnessing the MAC move on the network when not expected.
Maybe there is another dashboard element that accomplishes displaying all instances of the desired MAC, or maybe I am doing something wrong. I could certainly remove the uplink ports from SolarWinds but that information also has value and, currently, I am exploring options on how we'd want our setup configured.
Hmm... I just checked myself and what I'm seeing in my Database files doesn't 100% jive with what searching by and endpoint in UDT does.
If you check out the UDT_PortToEndpointCurrent table and find the entries for your devices (which would be in the UDT_Endpoint table), I'd be curious to see if it matches up with the actual stuff, or what you're seeing in the GUI for UDT.
I'm using this query in the DB manager to look
SELECT TOP 1000 P2EC.PortID, E.EndpointID, N.Caption, E.MACAddress, P.Name
FROM [dbo].[UDT_PortToEndpointCurrent] P2EC
JOIN UDT_Endpoint E ON (E.EndpointID = P2EC.EndpointID)
JOIN UDT_Port P ON (P2EC.PortID = P.PortID)
JOIN Nodes N ON (P.NodeID = N.NodeID)
ORDER BY E.MACAddress DESC
It basically joins the PortToEndpointCurrent table (which I believe is the current status of what endpoint is on what port) with the Endpoint table, which gives us access to the MAC Address. A couple more joins to the UDT_Port so we can get to the Node names and such too... If you put a "WHERE E.MACAddress = 'YourMACAddress'", you can search for a specific mac if you want...
Curious if you're seeing what you'd expect in the DB tables, but not in the UDT GUI too...
The database is showing both MACs in both locations, as expected.
The Test List on the Dashboard is showing one location for each MAC and further refreshes might stay the same, or move. I have not noticed a pattern yet on when it moves.
Hmm... So it appears that either we're interpreting the database contents incorrectly, or the displaying of this info in UDT is not correct. Possible bug? What do you think?
The current functionality appears to be a bug in SolarWinds to me. I should be able to get around the issue with my current setup by not managing the uplink ports. However, that is worthwhile information to have (and not always an easily configurable). What is the intent of the User Device Tracker? Is it intended to show every location in the network that knows about this particular MAC? Or is it meant to show just where that individual MAC connects to the network? In my mind, either of those options has value but neither appears to be what is implemented.
Well, my interpretation of what UDT is doing is that it should be reporting on the last known location that a given node was at. Of course that depends on a lot of things like how frequently you poll and such. I'm choosing to not poll that often, so my info gets outdated. I also quickly ran into problems where it was giving me too much information, so I cut out the uplinks on the devices that I am monitoring and the info I get is what I consider to be "good". I think most people will use it to find out "who is on this IP address", or "where is this user logged in from" type info, and the MAC address will just be a necessary evil that UDT has to track in order to pull the other information together.
The ability to turn a switchport on and off via the GUI might be something others use also, I'm not myself..
Still trying to figure out way to ensure that I am monitoring the right links though. Will probably have to be done via correctly labeling the links or something.
It is a bit of a challenging product though.