VLAN
Overview
The VLAN isolation is based on SNMP traps. On the PacketFence host, the snmptrapd daemon receives the traps sent by your switches, put them in form and writes them into a flat file (/usr/local/pf/logs/snmptrapd.log). The multithreaded pfsetvlan daemon reads the formatted traps from the flat file and responds to them by setting the switch port to the correct VLAN. Currently, we support switches from Cisco, Edge-core, HP, Intel, Linksys and Nortel (adding support for switches from another vendor implies extending the pf::SNMP class). Depending on your switches capabilities, pfsetvlan will act on different types of SNMP traps.
Linkup/Linkdown traps
This is the most basic setup.When a host connects to a switch port, PacketFence receives a 'link up' trap. Since, when a computer is newly connected to a switch port, it takes some time before the switch learns it's MAC address, the switch port will immediately be placed in a MAC detection VLAN. pfsetvlan will send SNMP queries to the switch until the switch has learned a MAC on that port, verify in the PacketFence database the status of this MAC and then set the switch port VLAN accordingly. If, on the other hand, PacketFence receives a 'link down' trap, we know that a computer has been disconnected and can re-set the switch port VLAN to the 'MAC detection' VLAN.
MAC notification traps
If your switches support MAC notification traps (MAC learned, MAC removed), we suggest that you activate them in addition to the linkup/linkdown traps. This way, pfsetvlan does not need, after a link up trap, to query the switch continuously until the MAC has finally been learned, but can just wait for the MAC learned trap to arrive.
Port security traps
If you can fix specific MAC addresses on your switches ports and receive security violation traps when they are changed, you should activate this feature. In this case pfsetvlan doesn't even need any more to receive linkup and linkdown traps.
Basic Configuration
First you need to tell snmptrapd how to put snmp traps in form so that pfsetvlan can interpret them. Therefore snmptrapd has to be started with the following options
-n -Lf /usr/local/pf/logs/snmptrapd.log
-p /var/run/snmptrapd.pid -On
-F '%V|%#04.4y-%#02.2m-%02.2l|%#02.2h:%#02.2j:%#02.2k|%b|%a|\
BEGIN TYPE %w END TYPE \
BEGIN SUBTYPE %q END SUBTYPE \
BEGIN VARIABLEBINDINGS %v END VARIABLEBINDINGS\n'
The PacketFence configuration files are saved in /usr/local/pf/conf.
log.conf contains the configuration for Log::Log4Perl and you normally don't need to modify it.
pfsetvlan.pm contains several function definitions which are used by the pfsetvlan daemon. For example, custom_getCorrectVlan allows you to define what you consider to be the correct VLAN for a given switch port. If all your VLANs are spanned throughout the network, you might want to keep the default definition, which defines the VLAN saved in the node table to be the correct default VLAN for a given MAC. If, on the other hand, you have, let's say administrative and academic VLANs which change depending on your physical location (switch, building, campus), you need to put some more effort into this function to define that a given computer must be put into VLAN A when connected into one switch and into Vlan B when connected into another switch.
Finally switches.conf contains:
- a [default] section including:
- the global database connection parameters
- the global list of VLANs PacketFence manages
- the default switches access parameters (SNMP read/write communities)
- the default working mode:
- in testing mode, pfsetvlan shows in the log files what it would normally be doing, but it doesn't execute the SNMP writes to change the VLAN.
- in registration mode, pfsetvlan will auto-register all MAC addresses seen on the switch ports. As in testing mode, no VLAN changes are done.
- in production mode, pfsetvlan will send the SNMP writes to change the VLAN on the switch ports.
- a [switch] section for each switch managed by PF:
- its IP address
- its vendor and type (so that the correct subclasses of pf::SNMP are instantiated)
- its uplink ports
Once you have modified switches.conf for your network, you can execute some first tests (only SNMP reads) using the supplied test/connect_and_read.pl script.
The next step is to create the new MAC detection and registration VLANs on all switches which are managed by PacketFence.
Configuration without VoIP
You need to define that link up and link down traps are sent to the PacketFence host.
On Cisco Catalyst 2900XL switches for example, this can be done with the following commands
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server host <pf_ip> trap version 1 <community> snmp
If your switch supports port-security traps, packetfence-vlan is able to handle those too and you can, for example, configure a Cisco Catalyst 2960 switch with the following commands
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host <PF_IP> version 1 <community> port-security snmp
In addition, you need to configure every switch port on which you want to activate the port-security feature with
switchport port-security
switchport port-security violation restrict
Configuration with VoIP
In this case, you most probably have computers behind VoIP telephones. Therefore the link up and link down traps alone are not sufficient to determine when a computer is connected or disconnected. You'll need to activate the MAC notification traps for this.
This can be done on Cisco switches at the switch level with the following commands
snmp-server enable traps mac-notification
snmp-server host <PF_IP> version 1 <community> mac-notification
mac-address-table notification interval 0
mac-address-table notification
In addition, you need to activate this feature on every switch port with
snmp trap mac-notification added
snmp trap mac-notification removed
Don't forget that in case you have activated port-security on one of these ports, you have to allow two MACs instead of only one.
