<<

NAME

pf::Switch::Cisco::Catalyst_2950 - Object oriented module to access and configure Cisco Catalyst 2950 switches

STATUS

The minimum required firmware version is 12.1(22)EA10.

Supports
802.1X with or without VoIP
Port-Security without VoIP
MAC notifications with VoIP
Untested
RADIUS VoIP authorization (we relied on CDP discovery instead)

This module extends pf::Switch::Cisco.

BUGS AND LIMITATIONS

Problematic firmware versions

We got reports that 12.1(22)EA13 is buggy. Not sending port-security traps under uncertain circumstances.

802.1X

802.1X doesn't support Dynamic VLAN Assignments over RADIUS. We had to work around that limitation by setting the VLAN using SNMP instead. Also, we realized that we need to do a shut / no-shut on the port in order for the client to properly re-authenticate. This has nasty side-effects when used with VoIP (client don't re-DHCP automatically).

No MAC-Authentication Bypass support

These switches don't support MAB (what we call MAC-Authentication in PacketFence) and so their 802.1X support is a lot less attractive because of that. Briefly it means that devices that don't support 802.1X can't coexist with 802.1X capable devices with the same port config.

https://supportforums.cisco.com/thread/216455

SNMPv3

SNMPv3 support is broken for link-up / link-down and MAC Notification modes. Cisco didn't implement SNMPv3 context support for this IOS line and it is required to query the MAC address table. See #1284.

VLAN enforcement on trunk ports through SSH

On trunk ports, we need to clear the MAC address table when performing a VLAN change (however this assumption might need to get revisited). Clearing MAC is done over CLI (Telnet / SSH) and currently under SSH it is broken. Because we don't recommend users securing trunk ports with NAC and since Telnet works fine, this is a low priority issue. See #1371 for more details.

CONFIGURATION AND ENVIRONMENT

conf/switches.conf

SUBROUTINES

Warning: The list of subroutine is incomplete

clearMacAddressTable

Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:

http://www.cpanforum.com/threads/6909/

Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.

ping

Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:

http://www.cpanforum.com/threads/6909/

Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.

enablePortSecurityByIfIndex - configure the port with port-security settings

With no VoIP switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-adress xxxx.xxxx.xxxx

With VoIP switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-adress xxxx.xxxx.xxxx

disablePortSecurityByIfIndex - remove all the port-security settings on a port
setPortSecurityEnableByIfIndex - enable/disable port-security on a port
setPortSecurityMaxSecureMacAddrByIfIndex

Sets the global (data + voice) maximum number of MAC addresses for port-security on a port

setPortSecurityMaxSecureMacAddrVlanAccessByIfIndex

Wraps around _setPortSecurityMaxSecureMacAddrVlanAccessByIfIndex by spawning a process to call it thus working around bug #1369: thread crash with floating network devices with VoIP through SSH transport

_setPortSecurityMaxSecureMacAddrVlanByIfIndex

Sets the maximum number of MAC addresses on the data vlan for port-security on a port

Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:

http://www.cpanforum.com/threads/6909/

Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.

setPortSecurityViolationActionByIfIndex

Tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum: shut down the port, send a trap or only allow traffic from the secure port and drop packets from other MAC addresses

setTaggedVlans

Allows all the tagged Vlans on a multi-Vlan port. Used for floating network devices only

removeAllTaggedVlans

Removes all the tagged Vlans on a multi-Vlan port. Used for floating network devices only

enablePortConfigAsTrunk - sets port as multi-Vlan port

Overriding default enablePortConfigAsTrunk to fix a race issue with Cisco

NasPortToIfIndex

Translate RADIUS NAS-Port into switch's ifIndex.

getVoipVSA

Get Voice over IP RADIUS Vendor Specific Attribute (VSA).

dot1xPortReauthenticate

Because of the incomplete 802.1X support of this switch, instead of issuing a re-negociation here we bounce if there's no VoIP device or set the VLAN and log if there is a VoIP device.

getPhonesLLDPAtIfIndex

Return list of MACs found through LLDP on a given ifIndex.

If this proves to be generic enough, it could be promoted to pf::Switch. In that case, create a generic ifIndexToLldpLocalPort also.

ifIndexToLldpLocalPort

Translate an ifIndex into an LLDP Local Port number.

We use ifDescr to lookup the lldpRemLocalPortNum in the lldpLocPortDesc table.

getIfIndexByNasPortId

Fetch the ifindex on the switch by NAS-Port-Id radius attribute

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<