Hi Kurtis, First of all let me say that IPT (aka VoIP) support is very tricky.
We have two approaches. Either: a) PacketFence manages the device and thus must recognize it and register it automatically or b) We rely on the automatic recognition of the IPT by the switch and use a dynamic port-security only for the voice vlan From your config, I see that you are using approach b) (what we recommend). You correctly allow 2 mac-addresses max but you do not lock 1 MAC to the data vlan which is what is required to prevent a new PC to getting access if the IPT is removed (and other scenarios). Please add the following config to your VoIP ports and try your tests again: int fa0/xx switchport port-security maximum 1 vlan access I'm not sure if the documentation is wrong but I just checked against our latest (unreleased) version and it is correct. However this might not solve all of your problems so please test again and let us know. Thanks for your thoroughness, it's appreciated! Have a good one! Kurtis Drefs wrote: > I have documented what I see as some problems with the way PF works when > Voip phones are introduced. I hope you can follow this and give some > input as to why this is happening and if there is a simple switch > configuration fix for this scenario. > > Using ZEN 1.87 > > Catalyst 3560 Version 12.2(25r) > > I start with a blank switchport that is configured for an IP phone with > a phony mac address > > VLAN 101 is a public by default vlan. > > VLAN 1 is regular data for registered devices > > 00:17:95:cf:0f:5b is the mac of Cisco IP (Phone1) > > 00:17:e0:16:90:3f is the mac of Cisco IP (Phone2) > > 00e0.9114.675e is the mac of laptop (1) > > 00a0.d1a4.5a44 is the mac of laptop (2) > > > Global switch config= > > snmp-server community TEST*NAC RO > snmp-server enable traps port-security > snmp-server enable traps port-security trap-rate 1 > snmp-server enable traps stpx root-inconsistency loop-inconsistency > snmp-server host X.X.X.X version 2c TEST*NAC port-security > > > > <1: > > Start with a blank config > > interface FastEthernet0/24 > switchport access vlan 101 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 0200.0000.0024 > > > > <then plug in a cisco (Phone1). It auto registers with PF and the port > config is. > > > > interface FastEthernet0/24 > switchport access vlan 101 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 0200.0000.0024 > > > > > <2: > > then plug in a laptop (1) to the phone > > 21:50:10: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 00e0.9114.675e on port > FastEthernet0/24. > > 21:50:13: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > > > Port config is now (mac address has changed and vlan is correct) Good > > > > interface FastEthernet0/24 > switchport access vlan 101 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00e0.9114.675e > > > > > <3: > > register (Laptop1) with the PF server > 21:54:59: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > Vlan has changed for the registered device. Excellent > > > > interface FastEthernet0/24 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00e0.9114.675e > > > > > <4: > > So far, so good but > > Unplug the Cisco Phone and introduce a new unregistered (Laptop 2) > directly to the switchport. This appears to be a very simple bypass of > the whole system > > No trap is sent to PF. The new machine does not show up on the PF server > at all and switch port stays at the last VLAN that was configured which > in this case is VLAN 1. Not good. > > > 22:01:15: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on > Interface FastE > > thernet0/24, changed state to up > > > > interface FastEthernet0/24 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00e0.9114.675e > > > > > > > <5: > > Next problem, Unplug everything from this switchport and introduce a > different Cisco (Phone2) > > No trap is sent, ip phone is granted access, no entry in PF regarding > the new phone > > > > 22:11:05: %ILPOWER-CLUSTER_MEMBER_2-7-DETECT: Interface Fa0/24: Power > Device detected: IEEE PD > > 22:11:05: %ILPOWER-CLUSTER_MEMBER_2-5-POWER_GRANTED: Interface Fa0/24: > Power granted > > 22:11:09: %LINK-CLUSTER_MEMBER_2-3-UPDOWN: Interface FastEthernet0/24, > changed state to up > > 22:11:10: %LINEPROTO-CLUSTER_MEMBER_2-5-UPDOWN: Line protocol on > Interface FastEthernet0/24, changed state to up > > > > Port config has not changed. > > interface FastEthernet0/24 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00e0.9114.675e > > > > > <6: > > Plug in unregistered (Laptop 2) to the newly introduced Cisco IP (Phone2) > > 22:17:22: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 00a0.d1a4.5a44 on port > FastEthernet0/24. > > 22:17:27: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X > > VLAN and mac have changed. (Laptop2) now shows up in PF as an > unregistered device. Good but a little late > > > > interface FastEthernet0/24 > switchport access vlan 101 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00a0.d1a4.5a44 > > > > > <7: > > Unplug and the phone from the switchport. Plug the registered Laptop > (1) into the phone before powering. Plug in the phone. > > Get an endless supply of this. (Phone2) is now a problem > > 22:26:03: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:26:07: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:26:18: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:26:23: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:26:51: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:26:55: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:26:59: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:26:59: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:27:03: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:27:07: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:27:11: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:27:23: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:27:27: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:27:31: %PORT_SECURITY-CLUSTER_MEMBER_2-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 0017.e016.903f on port > FastEthernet0/24. > > 22:27:31: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > 22:27:35: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X by snmp > > Port config has not changed even though it should now be changed to vlan > 1 for (Laptop1) > > interface FastEthernet0/24 > switchport access vlan 101 > switchport mode access > switchport voice vlan 200 > switchport port-security > switchport port-security maximum 2 > switchport port-security violation restrict > switchport port-security mac-address 00a0.d1a4.5a44 > > > > > <8: > > Unlpug and replug the registered (Laptop1) into the Cisco phone > > Same results as directly above. Endless violation messages and messages > saying that the port is reconfigured and nothing happens with the switch > configuration. > > > > > <9: > > Unlpug and replug the unregistered (Laptop2) into the Cisco phone > > Same results as above. Endless violation messages and messages saying > that the port is reconfigured and nothing happens with the switch > configuration. > > It is now stuck and the only way to fix it is to blank out the port > config again. > > I would hate to have to go and delete mac addresses from a port every > time a phone is swapped out. > > The security problem associated with step 4 is well, a problem. At this > point I can’t start putting this into production. If I had no phones I > think that this would work perfectly. > -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
