Hi Guys, I've just done a PF deployment on Cisco switches with VoIP and port-security and there are issues/bugs with IOS when you have this kind of setup.
Try to upgrade the IOS to a most recent (> 12.2(50)xxx) and test again. I'm almost convinced that the line will not disappear anymore. How come a config line could be removed when you unplug a device ?!?! This has to be a bug. Keep us posted. Regards. Regis Balzard [email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) Andreas Gröschl a écrit : > Hi Oliver, > Hi Mailing List, > > i have the same problem on a cisco 3750 stack that. > > The removal of "switchport port-security maximum 1 vlan access" is > definitely a problem. > > Do you have some fixes or idea how i can fix this problem? > > My Cisco 3750 has version :WS-C3750-24P 12.2(25)SEB4 > C3750-IPBASE-M > > > Without a fixes for this problem, i think it would be the best practice > to go back to link-up -link-down and mac-notifications. > > We have in our network 1300 Nodes (PC, Printer) and 700 IP-Phones. Do > you think this would be a performance Proble? > > Thanks, Andi > > > 2010/6/16 Olivier Bilodeau <[email protected] > <mailto:[email protected]>> > > Hi Kurtis, > > First, thanks for your great documentation of your problem. This helps a > lot and makes it pleasant to help! :) > > ... > > mac address of Laptop(1) shows up in PF. No computername or dhcp time > > information is present, just the mac and the switchport it is > attached > > to. (Phone1) still does not show up in PF. Somewhat good but the > sudden > > absence of data collected by PF is unsettling. > > > > There are two ways to handle VoIP: > - You auto-register them and manage them > - The switch supports a VoiceVLAN and you let the port-security > automatically allow MACs into the voice vlan > > The Cisco config you used (and we recommend) is method #2. By setting a > maximum of 2 and a maximum on access VLAN of 1, the remaining 1 MAC is > dynamic and gets assigned to the voice vlan. No trap is sent to PF so > the phone won't show up in PF. Everything normal there. > > The no dhcp or computername information is unrelated but not normal. > What have you done to make sure that PF gets the normal / registration > DHCP? (IP-Helpers or vlan interface and pf.conf's type=dhcplistener...) > > >> > > > > > > > > <3 > > > > Manually register Laptop(1) with PF > > > > 5d01h: %SYS-CLUSTER_MEMBER_2-5-CONFIG_I: Configured from X.X.X.X > by snmp > > > > port config is now: > > > > interface FastEthernet0/24 > > switchport access vlan 121 > > switchport mode access > > switchport voice vlan 200 > > switchport port-security > > switchport port-security maximum 2 > > switchport port-security violation restrict > > switchport port-security mac-address 00e0.9114.675e > > spanning-tree portfast > > > > mac address of Laptop(1) shows up in PF. No computername or dhcp time > > information is present, just the mac and the switchport it is > attached > > to. (Phone1) still does not show up in PF. The line that I added > > “switchport port-security maximum 1 vlan access” is now gone from the > > port config and the vlan has changed to 121, the mac detect vlan that > > has no ip addresses associated > > > > The removal of "switchport port-security maximum 1 vlan access" is > definitely a problem.. It is not intentionally removed. > > I suspect an IOS issue since we have various setup that do work using > Cisco (2960s) with VoIP and PacketFence. The line is not removed by our > actions over SNMP. > > What version of PacketFence are you running? > What IOS version? > Can you test other IOSes? > Are you using 3560's only? > > Keep us posted. > -- > Olivier Bilodeau > [email protected] <mailto:[email protected]> :: > +1.514.447.4918 *115 :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (www.sogo.nu > <http://www.sogo.nu>) and PacketFence > (www.packetfence.org <http://www.packetfence.org>) > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Packetfence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > > ------------------------------------------------------------------------ > > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
