<<

NAME

pf::Switch::Cisco::Catalyst_2960 - Object oriented module to access and configure Cisco Catalyst 2960 switches

STATUS

SUPPORTS

802.1X with or without VoIP

Port-Security with or without VoIP

Link Up / Link Down

Stacked configuration

Firmware version

Recommended firmware is 12.2(58)SE1

The absolute minimum required firmware version is 12.2(25)SEE2.

Port-security + VoIP mode works with firmware 12.2(44)SE or greater unless mentioned below. Earlier IOS were not explicitly tested.

This module extends pf::Switch::Cisco::Catalyst_2950.

PRODUCT LINES

2960, 2960S, 2960G

With no limitations that we are aware of.

2960 LanLite

The LanLite series doesn't support the fallback VLAN on RADIUS AAA based approaches (MAC-Auth, 802.1X). This can affect fail-open scenarios.

BUGS AND LIMITATIONS

Port-Security

Status with IOS 15.x

At the moment we faced regressions with the Cisco IOS 15.x series. Not a lot of investigation was performed but at this point consider this series as broken with a Port-Security based configuration. At this moment, we recommend users who cannot use another IOS to configure their switch to do MAC Authentication instead (called MAC Authentication Bypass or MAB in Cisco's terms) or get in touch with us so we can investigate further.

Problematic firmwares

12.2(50)SE, 12.2(55)SE were reported as malfunctioning for Port-Security operation. Avoid these IOS.

12.2(44)SE6 is not sending security violation traps in a specific situation: if a given MAC is authorized on a port/VLAN, no trap is sent if the device changes port if the target port has the same VLAN as where the MAC was first authorized. Without a security violation trap PacketFence can't authorize the port leaving the MAC unauthorized. Avoid this IOS.

Delays sending security violation traps

Several IOS are affected by a bug that causes the security violation traps to take a long time before being sent.

In our testing, only the first traps were slow to come, the following were fast enough for a proper operation. So although in testing they can feel like they are broken, once installed and active in the field these IOS are Ok. Get in touch with us if you can reproduce a problematic behavior reliably and we will revisit our suggestion.

Known affected IOS: 12.2(44)SE2, 12.2(44)SE6, 12.2(52)SE, 12.2(53)SE1, 12.2(55)SE3

Known fixed IOS: 12.2(58)SE1

Port-Security with Voice over IP (VoIP)

Security table corruption issues with firmwares 12.2(46)SE or greater and PacketFence before 2.2.1

Several firmware releases have an SNMP security table corruption bug that happens only when VoIP devices are involved.

Although a Cisco problem we developed a workaround in PacketFence 2.2.1 that requires switch configuration changes. Read the UPGRADE guide under 'Upgrading to a version prior to 2.2.1' for more information.

Firmware versions 12.2(44)SE6 or below should not upgrade their configuration.

Affected firmwares includes at least 12.2(46)SE, 12.2(52)SE, 12.2(53)SE1, 12.2(55)SE1, 12.2(55)SE3 and 12.2(58)SE1.

12.2(25r) disappearing config

For some reason when securing a MAC address the switch loses an important portion of its config. This is a Cisco bug, nothing much we can do. Don't use this IOS for VoIP. See issue #1020 for details.

SNMPv3

12.2(52) doesn't work in SNMPv3

CONFIGURATION AND ENVIRONMENT

conf/switches.conf

SUBROUTINES

TODO: This list is incomplete

dot1xPortReauthenticate

Points to pf::Switch implementation bypassing Catalyst_2950's overridden behavior.

NasPortToIfIndex

Translate RADIUS NAS-Port into switch's ifIndex.

getVoipVSA

Get Voice over IP RADIUS Vendor Specific Attribute (VSA).

deauthenticateMacRadius

Method to deauth a wired node with CoA.

radiusDisconnect

Send a CoA to disconnect a mac

wiredeauthTechniques

Return the reference to the deauth technique or the default deauth technique.

returnRadiusAccessAccept

Prepares the RADIUS Access-Accept reponse for the network device.

Overrides the default implementation to add the dynamic acls

returnAccessListAttribute

Returns the attribute to use when pushing an ACL using RADIUS

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<