P.s., my summary on 3/15 must be correct: "In summary, I'm guessing the already registered and port-secured MAC is interferring with the switch interface changing VLANs except in the case where the initial VLAN is the Registration VLAN... Perhaps the port-secured MAC needs to be changed to a generic MAC (0002.0001.0046) at node disconnect to have this work as I'm invisioning, but it does VLAN switch somewhat (with the browser's activation) with a Registration initial VLAN."
I understand Port-Security will not SNMP trap if the connecting MAC is the same as the interfaces' port-secured MAC, so this explains why I don't and won't get a Custom->Normal or Norma->Custom VLAN switch. And switch from the Registration VLAN to a Custom VLAN even with a port-secured MAC that is registered is a result of the web portal, and nothing to do with Port Security traps. So... am I way off course to think changing the interfaces port-secured MAC to a generic MAC when the interface goes down would fix these 'non-typical' VLAN moves I'm testing. Am I expecting and/or worrying too much about these unusual VLAN move scenarios? Steve On Mar 22, 2012, at 2:14 PM, Steve Wittstruck wrote: > Hi Francois, > > I thought I should checkin and make sure I didn't miss something. > > In summary, our VLAN switching with generic port-secured MAC addresses works > perfectly but if there's a unique and registered port-secured MAC and we're > switching from 1) Registration to Custom, 2) Custom to Normal, and 3) Normal > to Custom, we have varying degrees of failure (described in details earlier.) > If one can consider generic MAC's, e.g. 0020.0001.0046, unregistered than > these scenarios have been tested and work perfectly with unregistered MAC's. > > For a bit of rationale why these scenarios are needed, 1) a small handful of > experienced network professionals share administration duties and it's quite > normal, even expected, for administrators to make configuration changes, e.g. > VLAN, directly on the switch, and 2) we have a somewhat disparate switching > infrastructure, though predominately Cisco, so administrative flexibility is > highly valued. > > Again, Thank you for all assistance you've given. To say we've appreciative > is understating things. > > Steve > CSM > > On Mar 15, 2012, at 4:28 PM, Steve Wittstruck wrote: > >> Francois, >> >> You're Welcome. And I apologize for not being as clear as I should have >> been. I should have said VLAN switching does occur without problem, if the >> switch interface port-secured MAC is generic. The following are the >> snmptraps for each of the 3 scenarios only this time using a generic >> port-secured MAC: >> >> Scenario 1 >> Starting with generic port-secured MAC 0002.0001.0046 >> VLAN change from Registration to CustomVLAN5: >> >> 2012-03-15|21:59:55|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1611178) 4:28:31.78|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|21:59:57|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1611334) 4:28:33.34|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|21:59:58|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1611441) 4:28:34.41|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|21:59:59|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1611584) 4:28:35.84|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> >> ======================================= >> >> Scenario 2 >> Starting with generic port-secured MAC 0002.0001.0046 >> VLAN change from CustomVLAN5 to Normal: >> >> 2012-03-15|22:10:02|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1671917) 4:38:39.17|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:10:04|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1672069) 4:38:40.69|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:10:06|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1672222) 4:38:42.22|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:10:07|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1672325) 4:38:43.25|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> >> ======================================= >> >> Scenario 3 >> Starting with generic port-secured MAC 0002.0001.0046 >> VLAN change from Normal to CustomVLAN: >> >> 2012-03-15|22:12:15|UDP: [127.0.0.1]:47565->[127.0.0.1]|138.67.244.19|BEGIN >> TYPE 6 END TYPE BEGIN SUBTYPE .0 END SUBTYPE BEGIN VARIABLEBINDINGS >> .1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.29464.1.1|.1.3.6.1.2.1.2.2.1.1.10146 = INTEGER: >> 10146|.1.3.6.1.2.1.2.2.1.1.10146 = INTEGER: 80 END VARIABLEBINDINGS >> 2012-03-15|22:15:00|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1701632) 4:43:36.32|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:15:01|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1701806) 4:43:38.06|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:15:03|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1701981) 4:43:39.81|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> 2012-03-15|22:15:05|UDP: >> [138.67.244.19]:58083->[138.67.244.17]|0.0.0.0|BEGIN TYPE 0 END TYPE BEGIN >> SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.1.3.0 = Timeticks: >> (1702140) 4:43:41.40|.1.3.6.1.6.3.1.1.4.1.0 = OID: >> .1.3.6.1.4.1.9.9.315.0.0.1|.1.3.6.1.2.1.2.2.1.1.10146 = Wrong Type (should >> be INTEGER): Gauge32: 10146|.1.3.6.1.2.1.31.1.1.1.1.10146 = STRING: >> GigabitEthernet1/0/46|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.10146 = Hex-STRING: 00 >> 24 81 56 15 EA END VARIABLEBINDINGS >> >> I didn't unregister the node in any of these scenarios but I believe you >> looking for proof of successful snmp communications, i.e. traps and sets. >> Please let me know if I misunderstood. >> >> Thank you! >> Steve >> ________________________________________ >> From: Francois Gaudreault [[email protected]] >> Sent: Thursday, March 15, 2012 2:05 PM >> To: [email protected] >> Subject: Re: [Packetfence-users] PF 3.2 Custom VLAN Category behavior >> >> Hi Steve, >> >> Thank you for providing the "evidences" :) >> >> Nowhere in your logs, I see a security trap received from the switch. >> That means, we do not have a locationlog for your device. VLAN >> re-assignments will likely fail (scenario 2 and 3). >> >> Let's start from 0. Things to do: >> - disconnect your device >> - unregister your device, put the device in the "no category" in PF UI >> - reset the switchport to default configuration >> interface GigabitEthernet1/0/46 >> switchport access vlan 425 >> switchport mode access >> switchport port-security maximum 1 vlan access >> switchport port-security >> switchport port-security violation restrict >> switchport port-security mac-address 0020.0001.0046 >> end >> - reconnect your device, see if you get a security trap >> ** If you don't, this is a problem >> >> - Open a browser, You should be able to see the portal >> - From the UI, change the status from unreg to reg, and category to >> net-admin >> - Check the logs to see the VLAN re-evaluation >> >> Let me know the results. >> >> Thanks! >> >> -- >> Francois Gaudreault, ing. jr >> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >> (www.packetfence.org) >> >> ------------------------------------------------------------------------------ >> This SF email is sponsosred by: >> Try Windows Azure free for 90 days Click Here >> http://p.sf.net/sfu/sfd2d-msazure >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
