Hi, Today I found out that the 12.2(55)SE1, our currently recommended Cisco firmware, has problems with computers plugged behind IP Telephones..
For some reason, if there's a VoIP, the security table as visible through SNMP is not the same as with a 'show run'. Trying to add or remove a secure MAC through SNMP fails. I'll be testing other recent releases and hopefully I'll find one that works fine. Suggestions are welcome! p.s.: the behavior has been documented in the switch module On 12/05/11 11:36 AM, Olivier Bilodeau wrote: > Hi Nicolas, > >> I figured it out... 12.2(44)SE6 version of IOS on the 2960 has bugs in >> port-security, I upgraded the switch to 12.2(55)SE1 and the problem went >> away completely. When collecting debug information as per your request, >> I did a capture and found the switch was not emitting port-security >> traps when it should....PacketFence can't react when the switch doesn't >> send the traps ;) > > Thanks for reporting. > > The picture around what IOS to use on the 2960 is getting blurrier. > > Here's the current documentation > (http://www.packetfence.org/documentation/pod/SNMP/Cisco/Catalyst_2960.html) > > Firmwares > - Recommended firmware is 12.2(55)SE1 > - The absolute minimum required firmware version is 12.2(25)SEE2. > - Port-security + VoIP mode works with firmware 12.2(44) and later. > Earlier IOS were not explicitly tested. > > Known buggy firmwares > - Port-Security > - 12.2(55)SE is known to be broken, 12.2(55)SE1 is apparently fine > - 12.2(44)SE6 is known to be buggy: not sending traps under certain > circumstances > - 12.2(50) is known to be problematic > - Port-security + VoIP support doesn't work with IOS version > 12.2(25r). See issue #1020 for details. > > - SNMPv3 > - 12.2(52) doesn't work in SNMPv3 > > >> Apr 21 13:37:09 pfsetvlan(11) WARN: new VLAN is not a managed VLAN -> >> replacing VLAN with MAC detection VLAN 321 (pf::SNMP::setVlan) >> Apr 21 13:37:09 pfsetvlan(11) INFO: finished (main::cleanupAfterThread) > > I saw that you solved your problem but just a quick hint: you can see > that there are two spaces after "new VLAN" so the VLAN returned by > getNormalVlan was probably an empty string (or undef). > > -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
