Update! Ok, we found a certain code/config combination that works for all IOS. We avoided the need to upgrade IOS after upgrading PacketFence but you'll have to change your config if your IOS is 12.2(46)SE or greater.
It'll be released in 2.2.1 which should be coming pretty soon. It's documented in UPGRADE. Here's the module documentation entry for this issue: > Port-Security with Voice over IP (VoIP) > Security table corruption issues with firmwares 12.2(46)SE or > greater and PacketFence before 2.2.1 > Several firmware releases have an SNMP security table > corruption bug that happens only when VoIP > devices are involved. > > Although a Cisco problem we developed a workaround in > PacketFence 2.2.1 that requires switch configu- > ration changes. Read the UPGRADE guide under ’Upgrading to a > version prior to 2.2.1’ for more infor- > mation. > > Firmware versions 12.2(44)SE6 or below should not upgrade > their configuration. > > Affected firmwares includes at least 12.2(46)SE, 12.2(52)SE, > 12.2(53)SE1, 12.2(55)SE1, 12.2(55)SE3 and > 12.2(58)SE1. I think we earned a few beers for tonight ;) While watching the stanley cup final of course. > Hi, > > We are having a hard-time trying to produce a viable upgrade path for > the recent 2960 fixes we implemented. > > Context: > We discovered recently that recent 2960 firmware 12.2(52)SE+ don't work > well when used in Port-Security with Voice over IP (VoIP) with PacketFence. > > Since recent switches come with a bootloader that's more recent than > 12.2(52) asking people to downgrade (like we did in the past) is no > longer an option. > > We tried our best to find a fixed IOS or a fix for our own module that > didn't involve configuration changes but we couldn't. > > So far the fix is quite painful: > - module changes > - configuration changes > - IOS update (if you were pre-12.2(52)) > > The 'PF' workaround: > In a nutshell, we are treating VoIP devices like a normal device except > that it belongs to the Voice VLAN. Previously we were doing dynamic > port-security on these devices and relying on CDP to appropriately > detect the Voice nature of the device. > > Config changes are: > - add a maximum 1 vlan voice > - set a fake VoIP MAC on vlan voice > On each VoIP enabled port for each switch. > > If you have *any* ideas at this point they will be appreciated! We don't > want to force an IOS upgrade, PacketFence update and switch > configuration change to keep things running as they were but it looks > like there's no way to work-around Cisco's changes this time... > -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-devel mailing list Packetfence-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-devel
