There appear to be discrepencies in both the Admin and Dev docs as it pertains to flexible VLAN assignment. The custom.pm module lists the subroutine as getNormalVlan and the admin docs call it get_normal_vlan. Either way, either it returns no vlan and is followed by a "VLAN not managed" error, or it keeps returning the normal vlan when it shouldn't.
Returns wrong vlan: Apr 22 11:29:01 pfsetvlan(1) INFO: MAC: 34:15:9e:10:72:06, PID: 1, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Returns no vlan (I assume): Apr 22 11:20:39 pfsetvlan(3) INFO: MAC: 34:15:9e:10:72:06, PID: 1, Status: reg. Returned VLAN: (pf::vlan::fetchVlanForNode) Apr 22 11:20:39 pfsetvlan(3) INFO: authorizing 34:15:9e:10:72:06 (old entry 02:00:00:01:00:04) at new location 10.9.0.16 ifIndex 10004 (main::handleTrap) Apr 22 11:20:39 pfsetvlan(3) WARN: SNMP error tyring to add or remove secure rows in port-security table. This could be normal. Error message: Received noCreation(11) error-status at error-index 2 (pf::SNMP::Cisco::Catalyst_2960::authorizeMAC) Apr 22 11:20:39 pfsetvlan(3) WARN: new VLAN is not a managed VLAN -> replacing VLAN with MAC detection VLAN 321 (pf::SNMP::setVlan) Apr 22 11:20:39 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) -----Original Message----- From: Ritter, Nicholas [mailto:[email protected]] Sent: Friday, April 22, 2011 11:11 AM To: [email protected] Subject: Re: [Packetfence-users] Cisco 2960 port-security porblem I noticed that the custom_getCorrectVlan function in the file /usr/local/pf/lib/pf/vlan/custom.pm is different then the function on page 9 of the devel document. Which is correct? >From the file: my ($this, $switch, $ifIndex, $mac, $node_info, $connection_type, $user_name, $ssid) = @_; >From the Dev doc: My($this, $switch_ip, $ifIndex, $mac, $status, $vlan, $pid) = @_; I assume that a problem here is what is causing my problem where PF knows that a vlan should be set, but states that the VLAN is not managed. Nick -----Original Message----- From: Ritter, Nicholas Sent: Thursday, April 21, 2011 2:00 PM To: '[email protected]' Subject: RE: [Packetfence-users] Cisco 2960 port-security porblem I figured it out... 12.2(44)SE6 version of IOS on the 2960 has bugs in port-security, I upgraded the switch to 12.2(55)SE1 and the problem went away completely. When collecting debug information as per your request, I did a capture and found the switch was not emitting port-security traps when it should....PacketFence can't react when the switch doesn't send the traps ;) With that said...I continued testing and found two more problems: 1) Node registration change from reg to unreg in PF WebUI does not cause the station to be treated as unreg if the category is not also changed back to "no category". If I mark a station as unreg, but leave the category as something a registered device would use, the device is still allowed to use the port. 2) custom vlan settings via custom.pm on a per category basis didn't work, the error was: Apr 21 13:37:09 pfsetvlan(11) WARN: new VLAN is not a managed VLAN -> replacing VLAN with MAC detection VLAN 321 (pf::SNMP::setVlan) Apr 21 13:37:09 pfsetvlan(11) INFO: finished (main::cleanupAfterThread) The vlan specified in custom.pm is specified in the "Vlans" field of the switch in the WebUI. Do I need to add vlan id's somewhere else in addition so that PacketFence considers it a managed vlan? In switches.conf I have the vlans specified on two places: "vlans=" and customVlan entries. I noticed that the switch in am testing does not have these entries, but I assumed it was because the settings were taken from the default entry when they were missing. Here is a snippet of the switches.conf file (10.9.0.16 is the 2960 switch I am testing with.): [default] vlans=1,3,24,32,321 normalVlan=1 registrationVlan=321 isolationVlan=321 macDetectionVlan=321 guestVlan=321 customVlan1=24 customVlan2=2 customVlan3=3 customVlan4= customVlan5= VoIPEnabled=no voiceVlan=32 mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 uplink=dynamic cliTransport=Telnet cliUser=<censored> cliPwd=<censored> cliEnablePwd=<censored> SNMPVersion=2c SNMPCommunityRead=<censored> SNMPCommunityWrite=<censored> SNMPVersionTrap=2c SNMPCommunityTrap=<censored> wsTransport=https wsUser=<censored> wsPwd=<censored> [10.9.0.16] type=Cisco::Catalyst_2960 mode=production cliTransport=SSH uplink=10101,10501 BTW - just one other note, although it does not appear to be causing a problem, I see the error in the packetfence.log: Apr 21 13:37:09 pfsetvlan(11) WARN: SNMP error tyring to add or remove secure rows in port-security table. This could be normal. Error message: Received noCreation(11) error-status at error-index 2 (pf::SNMP::Cisco::Catalyst_2960::authorizeMAC) ------------------------------------------------------------------------ ------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
