Okay. I thought this through and here's a better demonstration for the 6500 catalyst problems.
I have a new port setup on gi3/48. I've configured a default port config on the switch as follows: interface GigabitEthernet3/48 switchport switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address 0200.0100.0096 switchport port-security mac-address 0200.0100.0348 end ...where vlan 10 = data (normal) network, and vlan 20 = voice network. I then proceed to connect a brand new cisco 9971 voip phone into this port. (c40a.cbe0.0000) switch log shows: %ILPOWER-7-DETECT: Interface Gi3/48: Power Device detected: Cisco/IEEE PD %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c40a.cbe0.0000 on port GigabitEthernet3/48. %PORT_SECURITY-SPSTBY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c40a.cbe0.0000 on port GigabitEthernet3/48. Packetfence.log shows: Apr 18 19:18:27 pfsetvlan(4) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Apr 18 19:18:28 pfsetvlan(4) INFO: secureMacAddrViolation trap received on [internal_ip] ifIndex 96 for c4:0a:cb:e0:00:00 (main::handleTrap) Apr 18 19:18:28 pfsetvlan(4) INFO: node c4:0a:cb:e0:00:00 does not yet exist in PF database. Adding it now (main::node_update_PF) Apr 18 19:18:28 pfsetvlan(4) INFO: authorizing VoIP c4:0a:cb:e0:00:00 (old entry 02:00:01:00:00:96) at new location [switch_ip] ifIndex 96 VLAN 20 (main::handleTrap) Apr 18 19:18:28 pfsetvlan(4) WARN: SNMP error tyring to remove or add secure rows to ifIndex 96 in port-security table. This could be normal. Error message: Received inconsistentValue(12) error-status at error-index 1 (pf::SNMP::Cisco::Catalyst_6500::authorizeMAC) Apr 18 19:18:28 pfsetvlan(4) INFO: finished (main::cleanupAfterThread) and looking at the running config again: interface GigabitEthernet3/48 switchport switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address 0200.0100.0096 switchport port-security mac-address 0200.0100.0348 end no net change -- but from the logs, we know and see that the MAC is added to PF db, and that the phone is detected as VOIP device. However, snmp was trying to remove/add the config, and could not. To move past this to demonstrate the second issue i've found, i'm going to manually add the phone mac address into the switch. I will demonstrate the scenario where the phone is already existent in the environment and where an end-user may plug a device into the integrated Ethernet port on these cisco phones. switch# sh run int gi3/48 interface GigabitEthernet3/48 switchport switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address 0200.0100.0096 switchport port-security mac-address c40a.cbe0.0000 vlan voice end So here i've removed one of the placeholder mac addresses and manually added the phone mac address into the switch. (c40a.cbe0.0000 is the cisco phone) I then proceed to plug in a laptop that is already recognized/registered with packetfence (but in a different port) into the integrated ethernet port on the phone: switch# sh log %PORT_SECURITY-SP-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6800.99f8.009b on port GigabitEthernet3/48. %PORT_SECURITY-SPSTBY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 6800.99f8.009b on port GigabitEthernet3/48. %SYS-5-CONFIG_I: Configured from [packetfence_ip] by snmp packetfence.log shows: Apr 18 19:29:58 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Apr 18 19:29:58 pfsetvlan(8) INFO: secureMacAddrViolation trap received on [switch_ip] ifIndex 96 for 68:00:99:f8:00:9b (main::handleTrap) Apr 18 19:29:58 pfsetvlan(8) INFO: Will try to check on this node's previous switch if secured entry needs to be removed. Old Switch IP: [switch_ip] (main::do_port_security) Apr 18 19:29:58 pfsetvlan(8) INFO: MAC not found on node's previous switch secure table or switch inaccessible. (main::do_port_security) Apr 18 19:29:58 pfsetvlan(8) INFO: [NOT CUSTOM] MAC: 68:00:99:f8:00:9b, PID: admin, Status: reg. Returned VLAN: 50 (pf::vlan::fetchVlanForNode) Apr 18 19:29:58 pfsetvlan(8) INFO: authorizing 68:00:99:f8:00:9b at new location [switch_ip] ifIndex 96 (main::handleTrap) Apr 18 19:29:58 pfsetvlan(8) WARN: SNMP error tyring to remove or add secure rows to ifIndex 96 in port-security table. This could be normal. Error message: Received inconsistentValue(12) error-status at error-index 1 (pf::SNMP::Cisco::Catalyst_6500::authorizeMAC) Apr 18 19:29:58 pfsetvlan(8) INFO: finished (main::cleanupAfterThread) switch# sh run int gi3/48 interface GigabitEthernet3/48 switchport switchport access vlan 10 switchport mode access switchport voice vlan 20 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address c40a.cbe0.0000 vlan voice switchport port-security mac-address 0200.0100.0096 end If any more info is required, let me know. -----Original Message----- From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] Sent: Thursday, March 15, 2012 8:07 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [Packetfence-users] Packetfence v3.2 and Cisco 6500 port-security problem - VLAN ACCESS Hi Thomas, As stated in the 6500 module documentation, we did not test it using VoIP. =head1 STATUS Supports port-security. VoIP not tested. ... Can you try setting a mac address on the voice vlan as well : switchport port-security maximum 1 vlan voice switchport port-security mac-address 0200.010x.xxxx vlan voice This is something we can look at if you want to sponsor the development. On 12-03-14 1:09 AM, Thomas Tsai wrote: > I'm currently setting up Packetfence v3.2 in conjunction with a Cisco 6509 > running 12.2(33)SXI7. Two issues so far that I've run into. > > 1) Although the v3.2 admin guide (and network config guide) states that the > correct switchport config on a 6500 should look something like: > > switchport access vlan xxx > switchport mode access > switchport voice vlan xxx > switchport port-security maximum 2 > switchport port-security maximum 1 vlan access switchport > port-security switchport port-security violation restrict switchport > port-security mac-address 0200.0001.0096 spanning-tree portfast > > . the "switchport port-security maximum 1 vlan access" command is not > supported on the 6509. In fact, from an open Cisco support case, as well as > Cisco documentation online, the only time that "vlan access" would work is if > the switch port is configured as a trunk port. That can easily be done by > me, however, it seems like there is no other posting that would make me > believe this would work for packetfence. Any suggestions? > > 2) Secondly, when I ignore this issue and simply set the maximum to 1 without > the "vlan access" line (assuming that, I'll only have a phone connected into > a switchport), I can connect a computer device and things seem to work > appropriately, however if I connect a VOIP device, such as a Cisco 7975 IP > Phone, I get the following error in the packetfence.log: > > Mar 13 21:46:52 pfsetvlan(19) WARN: SNMP error tyring to remove or add > secure rows to ifIndex 96 in port-security table. This could be > normal. Error message: Received inconsistentValue(12) error-status at > error-index 1 (pf::SNMP::Cisco::Catalyst_6500::authorizeMAC) > > And nothing seems to happen, which makes me think this isn't going to work. > Looking at past articles, I only see one other instance of this happening to > a person using a 2960, which needed to just upgrade his IOS version to a > newer one. > > I am totally opened to upgrading to v15 IOS, or another train altogether, as > long as I know what to upgrade to. Does anyone have any suggestions or any > experience getting packetfence to work correctly with a Cisco Catalyst 6500 > series switch? > > > > > ********************************************** > Email Disclaimer: > > This email, including attachments, may contain proprietary, > confidential or privileged information. If you are not the intended > recipient, please (i) do not use, disclose, save or retransmit this > message or any attachments, (ii) alert the sender by reply email and > (iii) destroy or delete this message and any attachments. > Delivery of this email to a person other than the intended > recipient(s) shall not constitute a waiver of privilege or > confidentiality. > > CP Investments, member FINRA and SIPC, serves as placement agent for > investment products advised by Canyon Capital Advisors LLC. This email > is not intended to be an offer to sell or a solicitation of an offer > to buy any security in any jurisdiction. We review and retain > electronic communications traveling through our network. > > ********************************************** > > ---------------------------------------------------------------------- > -------- Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing also > focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Packetfence-users mailing list > Packetfence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Packetfence-users mailing list Packetfence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Packetfence-users mailing list Packetfence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
