Cool, you can lock down SNMP access to your switches with an access list if you need to since PF needs a Write community string.
Global Config Settings ip access-list standard snmphost permit host <ip addr for PF Management Interface> permit host <ip addr for you internal Management Station> snmp-server community <readcomstring> RO snmphost snmp-server community <writecomstring> RW snmphost Thank You, Kerry Melcher -----Original Message----- From: Martin Soentgenrath [mailto:[email protected]] Sent: Friday, January 07, 2011 7:19 AM To: [email protected] Subject: Re: [Packetfence-users] IOS Version Cisco 3550 Hi Kerry, thanks for your answer! I got it up and running now. I simply forgot to enable snmp with "snmp-server community public RO". After enabling this, everything runs smooth :-) Thank you Martin Söntgenrath Am Donnerstag 06 Januar 2011 18:13:28 schrieb Melcher, Kerry: > Hi Martin, > If you are just testing on switch port 4, try editing your > switches.conf file and make all the other ports or the ports you don't > have configure for port-security as uplinks. > > In the packetfence.log file the error is reporting on ifindex 10 which > should be port 10 on the Cisco 3550. The ifindex numbers are shifted > by 1 on the Cisco 3524. I did some SNMP debugs on one of my Cisco > switches and it look like PF does what looks like an SNMP scan on all > the ports and tries to manage all the ports that aren't logged as > uplinks in the switches.conf file. I suspect that your switch port 10 > isn't configured for port-security and isn't an uplink in the switches.conf > file. > > > Thank You, > Kerry Melcher > > > -----Original Message----- > From: Martin Soentgenrath [mailto:[email protected]] > Sent: Thursday, January 06, 2011 1:43 AM > To: [email protected] > Subject: Re: [Packetfence-users] IOS Version Cisco 3550 > > Hi! > > Thanks for your hint, > > i guess my configuration is nearly the same: > > interface FastEthernet0/4 > switchport access vlan 4 > switchport mode access > switchport port-security maximum 1 vlan access switchport > port-security switchport port-security violation restrict switchport > port-security mac-address 0200.0001.0004 > > ... > snmp-server enable traps port-security snmp-server enable traps > port-security trap-rate 1 snmp-server host > 192.168.61.1 version 2c public port-security > > But on the packetfence Server the Logs show: > > [r...@localhost conf]# tail -f /usr/local/pf/logs/snmptrapd.log > 2011-01-06|09:21:24|UDP: [192.168.61.11]:61977|0.0.0.0|BEGIN TYPE 0 > 2011-01-06|END TYPE > BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 > = > Timeticks: (329158) 0:54:51.58|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10 = Wrong Type > (should be INTEGER): Gauge32: 10|.1.3.6.1.2.1.31.1.1.1.1.10 = STRING: > FastEthernet0/10|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10 = Hex-STRING: 00 > 23 54 0F 10 3F END VARIABLEBINDINGS > > [r...@localhost pf]# tail -f /usr/local/pf/logs/packetfence.log > Jan 06 10:21:56 pfsetvlan(25) INFO: secureMacAddrViolation trap on > 192.168.61.11 ifIndex 10. Port Security is no longer configured on the > port. Flush the trap (main::signalHandlerTrapListQueued) > Jan 06 10:22:08 pfsetvlan(21) INFO: secureMacAddrViolation trap on > 192.168.61.11 ifIndex 10. Port Security is no longer configured on the > port. Flush the trap (main::signalHandlerTrapListQueued) > ... > > and the Port does not get switched. > > What am i doing wrong? Any more hints? > > Regards > Martin Söntgenrath > > Am Mittwoch 05 Januar 2011 18:20:55 schrieb Melcher, Kerry: > > Hi Martin, > > I just did some testing on a Cisco 3550-PWR 24 port switch using > > port security. I started with IOS 12.2(35)SE5 and ran into some issues. > > After upgrading to 12.2(44)SE6 it worked. > > > > Also if you are doing Cisco VoIP, you have to change your port > > configuration on the 3550 and 3560 switches from using the older > > Trunk VoIP port config used on the 3524 switches to the Access port > > with Voice Vlan config. There is one note in the Cisco Switch > > Configuration Guide for IOS 12.2(55)SE page 23-12 for setting up > > Port-Security that says "Voice VLAN is only supported on access > > ports and not trunk ports, even though the configuration is > > allowed". This gave me a lot of trouble testing port security on > > the 3550 and 3560 when they were configured as Trunk ports. > > > > This is a sample config for a 3550 and 3560 switch port using port > > security with VoIP. interface FastEthernet0/1 description F0/1 PF > > access-voice switchport access vlan 81 switchport mode access > > switchport voice vlan 181 switchport port-security maximum 2 > > switchport port-security maximum 1 vlan access switchport > > port-security maximum 1 vlan voice switchport port-security > > switchport port-security violation restrict switchport > > port-security mac-address 0200.0000.0001 priority-queue out > > spanning-tree portfast > > > > This is a sample config for an older 3524 switch port using Mac > > Detection with VoIP. The 3524 would not work with the Access port > > and Voice VLAN config above. interface FastEthernet0/1 description > > F0/1 PF MAC DOT1Q port to IP Phone switchport trunk encapsulation > > dot1q switchport trunk native vlan 4 switchport mode trunk > > switchport voice vlan 181 switchport priority extend cos 0 snmp > > trap mac-notification added snmp trap mac-notification removed > > spanning-tree portfast > > > > > > Thank You, > > Kerry Melcher > > > > > > -----Original Message----- > > From: Martin Soentgenrath [mailto:[email protected]] > > Sent: Wednesday, January 05, 2011 4:52 AM > > To: [email protected] > > Subject: [Packetfence-users] IOS Version Cisco 3550 > > > > Hi there, > > > > which is the preferred supported IOS Version for the Cisco Catalyst > >3550 Switch? I would like to test this Switch with Port Security > >Traps, and was not able to find Information regarding the IOS Version > >on > >http://www.packetfence.org/documentation/pod/SNMP/Cisco/Catalyst_3550 > >.htm > >l. > > > > Regards, > > > > Martin Söntgenrath > > -- > > tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH > > Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID > > (VAT): DE122264941 > > > > Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 > > Thiemannstraße 36 a, 12059 Berlin, Telefon: +49 30 5682943-30 > > Internet: http://www.tarent.de/ * Telefax: +49 228 52675-25 > > > > > >--------------------------------------------------------------------- > >-- > >---- > >--- Learn how Oracle Real Application Clusters (RAC) One Node allows > >customers to consolidate database storage, standardize their database > >environment, and, should the need arise, upgrade to a full multi-node > >Oracle RAC database without downtime or disruption > >http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > > Packetfence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > >--------------------------------------------------------------------- > >-- > >---- > >--- Learn how Oracle Real Application Clusters (RAC) One Node allows > >customers to consolidate database storage, standardize their database > >environment, and, should the need arise, upgrade to a full multi-node > >Oracle RAC database without downtime or disruption > >http://p.sf.net/sfu/oracle-sfdevnl > > _______________________________________________ > > Packetfence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH > Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID (VAT): > DE122264941 > > Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 > Thiemannstraße 36 a, 12059 Berlin, Telefon: +49 30 5682943-30 > Internet: http://www.tarent.de/ * Telefax: +49 228 52675-25 > > >----------------------------------------------------------------------- >---- >--- Learn how Oracle Real Application Clusters (RAC) One Node allows >customers to consolidate database storage, standardize their database >environment, and, should the need arise, upgrade to a full multi-node >Oracle RAC database without downtime or disruption >http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > >----------------------------------------------------------------------- >---- >--- Learn how Oracle Real Application Clusters (RAC) One Node allows >customers to consolidate database storage, standardize their database >environment, and, should the need arise, upgrade to a full multi-node >Oracle RAC database without downtime or disruption >http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID (VAT): DE122264941 Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 Thiemannstraße 36 a, 12059 Berlin, Telefon: +49 30 5682943-30 Internet: http://www.tarent.de/ * Telefax: +49 228 52675-25 ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
