Assuming you use ICX 7250s (Probably 7450s as well) on 8.0.40+ firmware.
# Tells the switch to turn on LLDP MED for voice vlan
sub getVoipVsa {
my ($self) = @_;
my $logger = $self->logger;
return (
'Foundry-MAC-Authent-needs-802.1x' => $FALSE,
'Foundry-Voice-Phone-Config' => " ",
'Tunnel-Type' => $RADIUS::VLAN,
'Tunnel-Medium-Type' => $RADIUS::ETHERNET,
'Tunnel-Private-Group-ID' => "T:".$self->getVlanByName('voice'),
);
}
# Converts Brocade ifIndex to port X/Y/Z format (Will break anything in PF
that relies in SNMP.
#You must use radius COA and can't use LLDP voip detection, this could be
resolved, but I don't do VOIP detection, so I don't really care. :D )
sub NasPortToIfIndex {
my ($self, $nas_port) = @_;
my $logger = $self->logger;
my $ifnum = $nas_port+256+64;
my $slot = int($ifnum/256);
my $shelf = int(($ifnum - ($slot * 256))/64 );
my $port = int($ifnum - ($slot * 256) - ($shelf * 64));
$nas_port = "$slot/$shelf/$port";
$logger->trace("Fallback implementation. Returning NAS-Port as ifIndex:
$nas_port");
return $nas_port;
}
#Allows you to assign ip filters to mac addresses on a port. I prefer to
use the router image with enable acl-per-port-per-vlan vs the switch image.
sub supportsRoleBasedEnforcement { return $TRUE; }
sub returnRoleAttribute {
my ($this) = @_;
return 'Filter-ID';
}
Part of our purchase deal was the addition of dynamic IPv6 ACL
functionality. They'll have it by the end of the year.
Excerpt switch config:
ver 08.0.40aT213
lag Uplink dynamic id 1
ports ethernet 1/2/8 ethernet 2/2/8
primary-port 1/2/8
deploy
vlan XYZ name YOURVLAN by port
tagged ethe 1/2/8 ethe 2/2/8
loop-detection
vlan 4093 name flexauth by port
loop-detection
!
!
!
!
authentication
auth-default-vlan 4093
max-sw-age 3600
auth-vlan-mode multiple-untagged
pass-through lldp
mac-authentication enable
mac-authentication enable ethe 1/1/1 to 1/1/48 ethe 2/1/1 to 2/1/48 ethe
3/1/1 to 3/1/48 ethe 4/1/1 to 4/1/48 ethe 5/1/1 to 5/1/48 ethe 6/1/1 to
6/1/48
mac-authentication dot1x-override
!
!
aaa authentication dot1x default radius
aaa authentication login default local
aaa authorization coa enable
aaa accounting dot1x default start-stop radius
enable acl-per-port-per-vlan
ip dhcp snooping vlan XYZ
ipv6 dhcp6 snooping vlan XYZ
radius-client coa host PFHOST key YOURKEY
radius-server host PFHOST auth-port 1812 acct-port 1813 default key YOURKEY
dot1x
radius-server timeout 5
interface ethernet 1/1/1
authentication max-sessions 10
authentication dos-protection enable
authentication dos-protection mac-limit 2
load-interval 30
no spanning-tree
inline power
broadcast limit 100
multicast limit 200
unknown-unicast limit 50
trust dscp
interface ethernet 1/2/8
loop-detection shutdown-disable
load-interval 30
arp inspection trust
dhcp snooping client-learning disable
dhcp snooping trust
dhcp6 snooping client-learning disable
dhcp6 snooping trust
ipv6-neighbor inspection trust
no spanning-tree
raguard trust
#If you set the acl role in PF to ip.100.in (An allow all acl), show
mac-auth sessions all will report the IP of the client.
access-list 100 permit ip any any
!
#We use this one for printers to block access to everyone except our
servers (To prevent direct printing because the printer guys never set any
ACLs)
access-list 110 permit ip any 10.32.0.0 0.3.255.255
access-list 110 permit ip any 10.128.0.0 0.0.255.255
access-list 110 permit udp any eq bootpc any eq bootps
access-list 110 permit icmp any any
access-list 110 deny ip any any
!
#We use this one for some devices to only allow traffic to our servers and
VDI workstations, effectively isolating them on the network.
access-list 111 permit ip any 10.32.0.0 0.3.255.255
access-list 111 permit udp any 10.60.0.0 0.3.255.255 eq 4172
access-list 111 permit tcp any 10.60.0.0 0.3.255.255 eq 4172
access-list 111 permit icmp any any
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 permit ip any any
!
!
!
!
lldp run
!
On Fri, Jun 17, 2016 at 12:08 PM, Guntharp, Jason W. <[email protected]>
wrote:
> Thanks Tim. That makes perfect sense. I’m assuming you directly modified
> /usr/local/pf/lib/Switch/Brocade.pm to accomplish this?
>
> Jason
>
>
>
>
>
> *From:* Tim DeNike [mailto:[email protected]]
> *Sent:* Thursday, June 16, 2016 9:41 AM
> *To:* [email protected]
> *Subject:* Re: [PacketFence-users] portIndex
>
>
>
> Brocade uses 64 ifindexes per shelf, so port 1/1/1 is 1. 1/2/1 is 65.
> 2/1/1 is 129. And so on.
>
>
>
> I don't use Lldp or SNMP at all with my brocades so I modified the module
> to convert it to X/y/z format.
>
> Sent from my iPhone
>
>
> On Jun 16, 2016, at 9:40 AM, Guntharp, Jason W. <[email protected]>
> wrote:
>
> Has anyone had any issues with PacketFence reporting large incorrect
> switch port values on devices that are plugged into switches that are
> logically stacked? With two Brocade ICX switches in a logical stack, the
> portIndex values are being reported with values such as 297. Is there a way
> to reformat the values to be displayed accurately? I have not found any
> such cli commands on the Brocade side to correct this. Port values are
> reported accurately with a single switch.
>
>
>
> Thanks,
>
>
>
>
>
> Jason Guntharp
>
> Network Administrator
>
> Itawamba Community College
>
> Office: (662) 862-8106
>
> Email: [email protected]
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.
> http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports. http://sdm.link/zohomanageengine
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
