Looks like it is probably also important to set the following in the global
config on the switches:
snmp-server ifindex persist
---------------------------------------------------------------------------------------
Gavin Pyle | Network Engineer | Green River Community College
[email protected]<mailto:[email protected]>
From: Gavin Pyle
Sent: Tuesday, October 02, 2012 08:52 AM
To: '[email protected]'
Subject: RE: Re: [PacketFence-users] Two oddities
Thanks Thomas for the reply!
We may indeed need to purchase support, but being that this is an open-source
product, I was hoping for some help from the community before having to spend
taxpayer money on support. My major frustration is that I had this working in
a test environment on an older version of the product, but since upgrading and
attempting to install in production, I've been fairly unsuccessful. The main
reason for implementing PF here is to prevent MPIAA violations from occurring
and so far in production that hasn't worked.
In any case... I've figured out the issue with the incorrect port mappings in
the PF DB. Another tool we use for monitoring, Intermapper, lists the ifIndex
for each switch it is monitoring and if I sort the switch interfaces by
ifIndex, I get the following order: Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6,
Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/17, Fa0/18, Fa0/19, Fa0/20,
Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/25, Fa0/26,
Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36,
Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Fa0/37, Fa0/38,
Fa0/39, Fa0/40.
This explains the issue, but now I have the exciting task of evaluating the
ifIndices of each switch and reconfiguring the port-security "dummy" MAC for
each incorrectly identified port. Hopefully this fixes the issue permanently,
but I'm not sure that it will cause I don't know how PF determines this from
the start.
I'm still stuck on the detection issue though... There's the WARN: messages
such as the one below that indicates PF is detecting violations, but keys in on
the remote network IP address rather than the local network IP. I'm guessing
that if PF can't determine the MAC, then it can't determine the switch port and
place the port in the isolationVlan, but I would think it would still send an
e-mail alert, but I guess not. Still, why is it keying in on the remote
network IP address rather than the local network IP?
Oct 02 08:12:42 pfdetect(13692) WARN: pfdetect: 114.22.11.236 MAC NOT FOUND for
violation 2003320 [ET] (main::)
Oct 02 08:12:44 pfdetect(13692) INFO: alert received: 10/02-08:12:44.001283
[**] [1:2003315:3] ET P2P Edonkey Search Reply [**] [Classification: Potential
Corporate Privacy Violation] [Priority: 1] {UDP} 114.22.11.236:53663 ->
172.168.1.29:42089 (main::)
Oct 02 08:12:44 pfdetect(13692) INFO: could not resolve 114.22.11.236 to mac in
ARP table (pf::iplog::ip2macinarp)
Oct 02 08:12:44 pfdetect(13692) WARN: could not resolve 114.22.11.236 to mac
(pf::iplog::ip2mac)
Oct 02 08:12:44 pfdetect(13692) WARN: pfdetect: 114.22.11.236 MAC NOT FOUND for
violation 2003315 [ET] (main::)
Thanks,
---------------------------------------------------------------------------------------
Gavin Pyle | Network Engineer | Green River Community College
[email protected]<mailto:[email protected]>
From: Thomas Tsai [mailto:[email protected]]
Sent: Monday, October 01, 2012 16:20 PM
To: '[email protected]'
Subject: Re: [PacketFence-users] Two oddities
1) Didn't use auto-reg, so not sure. But all new devices show
unregistered for me.
2) Check logs under /usr/local/pf/logs/packetfence.log
3) P2P detection? I suggest you forget that step until you get the rest
of it working exactly as you want. I haven't been able to get it working
quite yet either.
And if you have a time crush or a timeline you need to follow, you can always
purchase support from inverse. The inverse guys randomly answer some of my
questions, while not my other questions. This is free support. Sometimes you
get ignored.
From: Gavin Pyle [mailto:[email protected]]
Sent: Monday, October 01, 2012 4:07 PM
To: [email protected]
Subject: Re: [PacketFence-users] Two oddities
Hi,
Does anyone have any suggestions regarding the problems I'm facing implementing
PacketFence? For some reason no one ever replies to my questions while I see
most other posts are responded to rather quickly. If I've said anything in my
previous posts to offend anyone, I sincerely apologize. Or perhaps I'm just
not making my questions/issues clear enough? Thanks in any case.
Regards,
---------------------------------------------------------------------------------------
Gavin Pyle | Network Engineer | Green River Community College
[email protected]<mailto:[email protected]>
**********************************************
Email Disclaimer:
This email, including attachments, may contain
proprietary, confidential or privileged information. If you
are not the intended recipient, please (i) do not use,
disclose, save or retransmit this message or any
attachments, (ii) alert the sender by reply email and (iii)
destroy or delete this message and any attachments.
Delivery of this email to a person other than the intended
recipient(s) shall not constitute a waiver of privilege or
confidentiality.
CP Investments, member FINRA and SIPC, serves as
placement agent for investment products advised by
Canyon Capital Advisors LLC. This email is not intended to
be an offer to sell or a solicitation of an offer to buy any
security in any jurisdiction. We review and retain
electronic communications traveling through our network.
**********************************************
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
