pf::Switch::Cisco::Catalyst_2950 - Object oriented module to access and configure Cisco Catalyst 2950 switches
The minimum required firmware version is 12.1(22)EA10.
This module extends pf::Switch::Cisco.
We got reports that 12.1(22)EA13 is buggy. Not sending port-security traps under uncertain circumstances.
802.1X doesn't support Dynamic VLAN Assignments over RADIUS. We had to work around that limitation by setting the VLAN using SNMP instead. Also, we realized that we need to do a shut / no-shut on the port in order for the client to properly re-authenticate. This has nasty side-effects when used with VoIP (client don't re-DHCP automatically).
These switches don't support MAB (what we call MAC-Authentication in PacketFence) and so their 802.1X support is a lot less attractive because of that. Briefly it means that devices that don't support 802.1X can't coexist with 802.1X capable devices with the same port config.
https://supportforums.cisco.com/thread/216455
SNMPv3 support is broken for link-up / link-down and MAC Notification modes. Cisco didn't implement SNMPv3 context support for this IOS line and it is required to query the MAC address table. See #1284.
On trunk ports, we need to clear the MAC address table when performing a VLAN change (however this assumption might need to get revisited). Clearing MAC is done over CLI (Telnet / SSH) and currently under SSH it is broken. Because we don't recommend users securing trunk ports with NAC and since Telnet works fine, this is a low priority issue. See #1371 for more details.
conf/switches.conf
Warning: The list of subroutine is incomplete
Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:
http://www.cpanforum.com/threads/6909/
Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.
Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:
http://www.cpanforum.com/threads/6909/
Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.
With no VoIP switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-adress xxxx.xxxx.xxxx
With VoIP switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-adress xxxx.xxxx.xxxx
Sets the global (data + voice) maximum number of MAC addresses for port-security on a port
Wraps around _setPortSecurityMaxSecureMacAddrVlanAccessByIfIndex by spawning a process to call it thus working around bug #1369: thread crash with floating network devices with VoIP through SSH transport
Sets the maximum number of MAC addresses on the data vlan for port-security on a port
Warning: this method should _never_ be called in a thread. Net::Appliance::Session is not thread safe:
http://www.cpanforum.com/threads/6909/
Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.
Tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum: shut down the port, send a trap or only allow traffic from the secure port and drop packets from other MAC addresses
Allows all the tagged Vlans on a multi-Vlan port. Used for floating network devices only
Removes all the tagged Vlans on a multi-Vlan port. Used for floating network devices only
Overriding default enablePortConfigAsTrunk to fix a race issue with Cisco
Translate RADIUS NAS-Port into switch's ifIndex.
Get Voice over IP RADIUS Vendor Specific Attribute (VSA).
Because of the incomplete 802.1X support of this switch, instead of issuing a re-negociation here we bounce if there's no VoIP device or set the VLAN and log if there is a VoIP device.
Return list of MACs found through LLDP on a given ifIndex.
If this proves to be generic enough, it could be promoted to pf::Switch. In that case, create a generic ifIndexToLldpLocalPort also.
Translate an ifIndex into an LLDP Local Port number.
We use ifDescr to lookup the lldpRemLocalPortNum in the lldpLocPortDesc table.
Fetch the ifindex on the switch by NAS-Port-Id radius attribute
Inverse inc. <info@inverse.ca>
Copyright (C) 2005-2015 Inverse inc.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.