PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000637 | PacketFence | dhcp | public | 2009-03-23 11:10 | 2011-05-04 11:51 |
|
| Reporter | maikel | |
| Assigned To | obilodeau | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | no change required | |
| Platform | | OS | | OS Version | |
| Product Version | 1.8.1 | |
| Target Version | | Fixed in Version | | |
| fixed in git revision | |
| fixed in mtn revision | |
|
| Summary | 0000637: pfdhcplistener: option 82 wrong values |
| Description | With option 82 enabled. the port logged in pf is aways 1 id off:
Mar 23 16:04:54 k2 dhcpd: DHCPACK on 145.107.11.174 to 00:15:c5:14:ee:8d (paulo-0q2iz7fdp) via eth0.14
Mar 23 16:04:54 k2 pf: listen_dhcp(0): modifying node 00:15:c5:14:ee:8d with last_dhcp = 2009-03-23 16:04:54,switch = 00:0a:f4:70:36:80,computername = paullo-0q2iz7fdp,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43,vlan = 14,port = 0/14
sw03-poeldijk.duwo#sh ip dhcp snooping binding
Option 82 on untrusted port is not allowed
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------- ---- --------------------
00:15:C5:14:EE:8D 145.107.11.174 235 dynamic 14 FastEthernet0/15
|
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2009-03-23 11:10 | maikel | New Issue | |
| 2009-03-23 19:57 | user4 | Status | new => assigned |
| 2009-03-23 19:57 | user4 | Assigned To | => user4 |
| 2009-03-23 19:58 | user4 | Note Added: 0001167 | |
| 2009-04-13 13:33 | user4 | Category | 1.8.0 => 1.8.3 |
| 2009-06-05 08:55 | user4 | Category | 1.8.3 => 1.8.4 |
| 2009-07-16 17:21 | obilodeau | Category | 1.8.4 => 1.8.5 |
| 2009-10-21 13:02 | obilodeau | Note Added: 0001351 | |
| 2009-10-21 13:02 | obilodeau | Assigned To | user4 => |
| 2009-10-21 13:02 | obilodeau | Category | 1.8.5 => future |
| 2010-09-08 11:40 | obilodeau | Note Added: 0001639 | |
| 2010-09-08 11:40 | obilodeau | Status | assigned => feedback |
| 2010-09-08 11:40 | obilodeau | Category | future => dhcp |
| 2010-09-08 11:40 | obilodeau | Product Version | trunk => 1.8.1 |
| 2010-09-08 11:40 | obilodeau | Summary | pfdhcplistener => pfdhcplistener: option 82 wrong values |
| 2010-09-24 02:59 | mattgriffiths | Note Added: 0001691 | |
| 2010-09-27 12:14 | obilodeau | Note Added: 0001695 | |
| 2010-09-27 12:23 | obilodeau | Note Added: 0001696 | |
| 2010-09-27 12:23 | obilodeau | Status | feedback => resolved |
| 2010-09-27 12:23 | obilodeau | Resolution | open => no change required |
| 2010-09-27 12:23 | obilodeau | Assigned To | => obilodeau |
| 2011-05-04 11:51 | obilodeau | Status | resolved => closed |
|
Notes |
|
|
(0001167)
|
|
user4
|
|
2009-03-23 19:58
|
|
|
Even the fact that port=0/14 is written shouldn't be this way ... the port field should simply contain the ifIndex of the switchport |
|
|
|
|
Hi maikel,
We lost track of the signification of enabling option 82 (dhcpoption82logger=enabled).
Why would someone want that? We experienced a condition where a host in registration would update its node entry to set a wrong vlan with this option turned on.
We are thinking of fixing it or removing it entirely but would like to know to who it is useful and in what context. |
|
|
|
|
Hi maikel,
Is this switch a Cisco 3550? Because these are known to have ifIndex be similar to ports # but off by one or more. |
|
|
|
|
Hi,
I've been developing a use case for Packetfence within a company in a completely passive mode where we're using the dhcp fingerprinting feature to build a database of classified mac addresses for unmanaged (non dot1x) assets. We add a dhcp helper everywhere pointing at pf and publish aspects of the node table into an ldap directory for use by Cisco ACS RADIUS server host lookup requests.
In this context where we're not even telling pf about the network switches it's very useful to have the switch port information in the node table from option 82 when we're in a discovery mode before implementing dot1x on a site. We also have sites with switches that don't support option 82 insertion - to help us know where a mac is coming from I've added a giaddr (router ip) column to the node table and modified pfdhcplistener to insert the giaddr from the dhcp packet.
I've tested option 82 with various Cisco 3560 and 3750 switches and don't have the results to hand but found that the switch port recorded by pf was out by 4 on models with 4 sfp slots and out by 2 on models with 2 sfp slots. The switch info from option 82 in the node table (even with wrong ports) is still useful in my discovery context.
Regards
Matt |
|
|
|
|
I'm glad that we have a trace of why is option 82 useful. Thanks for that! :)
I'm pretty sure that the off by 2, 4 is not something we could easily avoid because we are showing what the switch sent us.
However, the ifIndex could be translated to dot1d port or better to be more meaningful. See 0001054 for an example of what I mean. |
|
|
|
|
I'm closing this.
Re-open if:
- you see reproducible event of 0/<port> being sent instead of ifIndexes
- ifIndex not properly recorded
Don't re-open if:
- you see off-by one reports where the ifIndex and dot1d elements of the switch don't agree (presence of SFP ports or weird switch ifIndex indexing)
In these cases, an updated node lookup with per-switch translation will be implemented in: 0001054 |
|