Hi, > I am having trouble with a Cisco 4500e switch. When a new device > comes online PacketFence (PF) sees the trap. Uses SNMP to > communicate back and forth. Changes the VLAN, etc. However after > all that is done the: "switchport port-security mac-address > 0200.0000.0011" line is gone. The next device that plugs in no > longer gets the SNMP trap generated and they remain in whatever VLAN > the previous device left them in. > > I am in the middle of trying to track this down myself. I wanted to > throw this out for anyone else who may have run into this problem > before and can offer me a quick solution (or a good starting place). > > > The PF system is in full debug mode, the Cisco 4500 has debug snmp > enabled. All my logs and configs related to this configuration are > located here: > > http://nss.wustl.edu/~jemurray/4500-port-security-fail.txt > >
These logs seems to indicate success.. debug snmp: Jul 13 14:24:52.244: SNMP: Response, reqid 46843, errstat 0, erridx 0 cpsIfVlanSecureMacAddrEntry.5.11.0.35.50.148.85.164.557 = 1 packetfence.log: Jul 13 14:24:52 pfsetvlan(11) INFO: MAC 00:23:32:94:55:a4 is already authorized on 128.252.71.61 ifIndex 11. Stopping secureMacAddrViolation trap handling here (main::handleTrap) > > It looks like everything is working as expected, I believe these are > the debug lines where it is "authorizing" the MAC address to the port: > > Jul 13 14:24:50.532: SNMP: Set request, reqid 46851, errstat 0, erridx 0 > cpsIfVlanSecureMacAddrEntry.5.11.2.0.0.0.0.17.671 = 6 > cpsIfVlanSecureMacAddrEntry.5.11.0.35.50.148.85.164.557 = 4 > > > The first should destroy the former MAC and the second line should set > the new MAC? Correct. > > > In the logs I see these messages: > > Jul 13 14:24:50 pfsetvlan(7) INFO: MAC: 00:23:32:94:55:a4 is of status > unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) > Jul 13 14:24:50 pfsetvlan(7) INFO: authorizing 00:23:32:94:55:a4 (old > entry 02:00:00:00:00:11) at new location 128.252.71.61 ifIndex 11 > (main::handleTrap) > Jul 13 14:24:50 pfsetvlan(7) DEBUG: opening SNMP v2c write connection > to 128.252.71.61 (pf::SNMP::connectWrite) > Jul 13 14:24:50 pfsetvlan(7) WARN: SNMP error tyring to add or remove > secure rows in port-security table. This could be normal. Error > message: Received undoFailed(15) error-status at error-index 1 > (pf::SNMP::Cisco::Catalyst_2960::authorizeMAC) > > > Thoughts? > At this point, it can be an IOS bug or a PacketFence bug. The port-security handling code changed a little bit in 2.2.1. Would you mind upgrading and trying to reproduce? If it does reproduce we will need you to do snmpset manually and see what works and what doesn't. Cheers! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
