Hi Francois, I thought I should checkin and make sure I didn't miss something.
In summary, our VLAN switching with generic port-secured MAC addresses works perfectly but if there's a unique and registered port-secured MAC and we're switching from 1) Registration to Custom, 2) Custom to Normal, and 3) Normal to Custom, we have varying degrees of failure (described in details earlier.) If one can consider generic MAC's, e.g. 0020.0001.0046, unregistered than these scenarios have been tested and work perfectly with unregistered MAC's. For a bit of rationale why these scenarios are needed, 1) a small handful of experienced network professionals share administration duties and it's quite normal, even expected, for administrators to make configuration changes, e.g. VLAN, directly on the switch, and 2) we have a somewhat disparate switching infrastructure, though predominately Cisco, so administrative flexibility is highly valued. Again, Thank you for all assistance you've given. To say we've appreciative is understating things. Steve CSM On Mar 15, 2012, at 4:28 PM, Steve Wittstruck wrote: > Francois, > > You're Welcome. And I apologize for not being as clear as I should have > been. I should have said VLAN switching does occur without problem, if the > switch interface port-secured MAC is generic. The following are the > snmptraps for each of the 3 scenarios only this time using a generic > port-secured MAC: > > Scenario 1 > Starting with generic port-secured MAC 0002.0001.0046 > VLAN change from Registration to CustomVLAN5: > > 2012-03-15|21:59:55|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1611178) 4:28:31.78|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|21:59:57|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1611334) 4:28:33.34|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|21:59:58|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1611441) 4:28:34.41|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|21:59:59|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1611584) 4:28:35.84|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > > ======================================= > > Scenario 2 > Starting with generic port-secured MAC 0002.0001.0046 > VLAN change from CustomVLAN5 to Normal: > > 2012-03-15|22:10:02|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1671917) 4:38:39.17|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:10:04|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1672069) 4:38:40.69|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:10:06|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1672222) 4:38:42.22|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:10:07|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1672325) 4:38:43.25|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > > ======================================= > > Scenario 3 > Starting with generic port-secured MAC 0002.0001.0046 > VLAN change from Normal to CustomVLAN: > > 2012-03-15|22:12:15|UDP: [127.0.0.1]:47565->[127.0.0.1]|138.67.244.19|BEGIN > TYPE 6 END TYPE BEGIN SUBTYPE .0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.6.3.1.1.4.1.0 = OID: > .1.3.6.1.4.1.29464.1.1|.1.3.6.1.2.1.2.2.1.1.10146 = INTEGER: > 10146|.1.3.6.1.2.1.2.2.1.1.10146 = INTEGER: 80 END VARIABLEBINDINGS > 2012-03-15|22:15:00|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1701632) 4:43:36.32|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:15:01|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1701806) 4:43:38.06|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:15:03|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1701981) 4:43:39.81|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > 2012-03-15|22:15:05|UDP: [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN > TYPE 0 END TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS > .1.3.6.1.2.1.1.3.0 = Timeticks: (1702140) 4:43:41.40|.1.3.6.1.6.3.1.1.4.1.0 = > OID: .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type > (should be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: > GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 > 24 81 56 15 EA END VARIABLEBINDINGS > > I didn't unregister the node in any of these scenarios but I believe you > looking for proof of successful snmp communications, i.e. traps and sets. > Please let me know if I misunderstood. > > Thank you! > Steve > ________________________________________ > From: Francois Gaudreault [[email protected]] > Sent: Thursday, March 15, 2012 2:05 PM > To: [email protected] > Subject: Re: [Packetfence-users] PF 3.2 Custom VLAN Category behavior > > Hi Steve, > > Thank you for providing the "evidences" :) > > Nowhere in your logs, I see a security trap received from the switch. > That means, we do not have a locationlog for your device. VLAN > re-assignments will likely fail (scenario 2 and 3). > > Let's start from 0. Things to do: > - disconnect your device > - unregister your device, put the device in the "no category" in PF UI > - reset the switchport to default configuration > interface GigabitEthernet1/0/46 > switchport access vlan 425 > switchport mode access > switchport port-security maximum 1 vlan access > switchport port-security > switchport port-security violation restrict > switchport port-security mac-address 0020.0001.0046 > end > - reconnect your device, see if you get a security trap > ** If you don't, this is a problem > > - Open a browser, You should be able to see the portal > - From the UI, change the status from unreg to reg, and category to > net-admin > - Check the logs to see the VLAN re-evaluation > > Let me know the results. > > Thanks! > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ------------------------------------------------------------------------------ > This SF email is sponsosred by: > Try Windows Azure free for 90 days Click Here > http://p.sf.net/sfu/sfd2d-msazure > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
