pf::Switch::Cisco::Catalyst_2960 - Object oriented module to access and configure Cisco Catalyst 2960 switches
Recommended firmware is 12.2(58)SE1
The absolute minimum required firmware version is 12.2(25)SEE2.
Port-security + VoIP mode works with firmware 12.2(44)SE or greater unless mentioned below. Earlier IOS were not explicitly tested.
This module extends pf::Switch::Cisco::Catalyst_2950.
With no limitations that we are aware of.
The LanLite series doesn't support the fallback VLAN on RADIUS AAA based approaches (MAC-Auth, 802.1X). This can affect fail-open scenarios.
At the moment we faced regressions with the Cisco IOS 15.x series. Not a lot of investigation was performed but at this point consider this series as broken with a Port-Security based configuration. At this moment, we recommend users who cannot use another IOS to configure their switch to do MAC Authentication instead (called MAC Authentication Bypass or MAB in Cisco's terms) or get in touch with us so we can investigate further.
12.2(50)SE, 12.2(55)SE were reported as malfunctioning for Port-Security operation. Avoid these IOS.
12.2(44)SE6 is not sending security violation traps in a specific situation: if a given MAC is authorized on a port/VLAN, no trap is sent if the device changes port if the target port has the same VLAN as where the MAC was first authorized. Without a security violation trap PacketFence can't authorize the port leaving the MAC unauthorized. Avoid this IOS.
Several IOS are affected by a bug that causes the security violation traps to take a long time before being sent.
In our testing, only the first traps were slow to come, the following were fast enough for a proper operation. So although in testing they can feel like they are broken, once installed and active in the field these IOS are Ok. Get in touch with us if you can reproduce a problematic behavior reliably and we will revisit our suggestion.
Known affected IOS: 12.2(44)SE2, 12.2(44)SE6, 12.2(52)SE, 12.2(53)SE1, 12.2(55)SE3
Known fixed IOS: 12.2(58)SE1
Several firmware releases have an SNMP security table corruption bug that happens only when VoIP devices are involved.
Although a Cisco problem we developed a workaround in PacketFence 2.2.1 that requires switch configuration changes. Read the UPGRADE guide under 'Upgrading to a version prior to 2.2.1' for more information.
Firmware versions 12.2(44)SE6 or below should not upgrade their configuration.
Affected firmwares includes at least 12.2(46)SE, 12.2(52)SE, 12.2(53)SE1, 12.2(55)SE1, 12.2(55)SE3 and 12.2(58)SE1.
For some reason when securing a MAC address the switch loses an important portion of its config. This is a Cisco bug, nothing much we can do. Don't use this IOS for VoIP. See issue #1020 for details.
12.2(52) doesn't work in SNMPv3
conf/switches.conf
TODO: This list is incomplete
Points to pf::Switch implementation bypassing Catalyst_2950's overridden behavior.
Translate RADIUS NAS-Port into switch's ifIndex.
Get Voice over IP RADIUS Vendor Specific Attribute (VSA).
Method to deauth a wired node with CoA.
Send a CoA to disconnect a mac
Return the reference to the deauth technique or the default deauth technique.
Prepares the RADIUS Access-Accept reponse for the network device.
Overrides the default implementation to add the dynamic acls
Returns the attribute to use when pushing an ACL using RADIUS
Inverse inc. <info@inverse.ca>
Copyright (C) 2005-2015 Inverse inc.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.