I am testing a Cisco 2960 with port-security and PF 2.1, and something
is happening that I think is not correct, so I will describe it below:
1) Cisco 2960 switch, running C2960-LANBASEK9-M 12.2(44)SE6
a. Configured with port-security per port
i.
Global port-security settings:
1. snmp-server enable traps port-security
2. snmp-server enable traps port-security trap-rate 1
3. mac address-table aging-time 3600
ii.
Interface level port-security settings:
1. switchport access vlan 321
2. switchport mode access
3. switchport port-security maximum 1 vlan access
4. switchport port-security violation restrict
5. switchport port-security mac-address 0200.0001.0003
6. spanning-tree portfast
b. Vlan 321 is the isolation and mac-detection vlan.
2) When I connected an unregistered device to the port, the
packetfence log shows a port-security trap from the switch, and
packetfence added the MAC address to the database as an unregistered
device.
3) I edited the entry for the MAC address via the packetfence webUI
and set the entry to registered.
4) This entry then shows up in the packetfence log:
a. pfcmd(0) WARN: Can't change VLAN for mac 34:15:9e:10:72:06
because no open locationlog entry was found (main::vlan_reevaluation)
5) I disconnected the device, and reconnected it to the same port.
6) The packetfence log shows no port-security trap when the port
link comes up, but does show the dhcp requests that the device is making
7) The switchport the device is connected to is not changed to the
VLAN specified in packetfence
8) a "show run" on the switch shows the the interface level
settings have not changed at all
9) a "show port-security interface" on the switch for the port
shows:
a. Port Security : Disabled
b. Port Status : Secure-down
c. Violation Mode : Restrict
d. Aging Time : 0 mins
e. Aging Type : Absolute
f. SecureStatic Address Aging : Disabled
g. Maximum MAC Addresses : 1
h. Total MAC Addresses : 1
i. Configured MAC Addresses : 1
j. Sticky MAC Addresses : 0
k. Last Source Address:Vlan : 0000.0000.0000:0
l. Security Violation Count : 0
So I have several questions:
1) After connecting the device the first time, packetfence did as
it should: learn the MAC address, set it to unreg, leave the port in the
unreg vlan. By why did it not go to the switch and set the vlan to the
registered devices vlan after I registered the device?
2) Why are subsequent clean connections by the same device to the
same port on the switch not generating any traps at all?
I had expect to see a flow of operation such that when the device
connected, it would remain isolated, PF would learn the MAC, an admin
user in PF would set the device to registered, PF would then reconfigure
the switch port to reflect the registered state.
What am I doing and/or understanding incorrectly? I am not using captive
portal, just PF admin manual reg state changes in the PF WebUI.
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
