NeDi Community

NeDi Software Specific => Discovery => Topic started by: ruehlb on July 10, 2012, 07:39:58 PM

Title: Node discovery issues with static MAC address-table entries
Post by: ruehlb on July 10, 2012, 07:39:58 PM
This issue appeared once we started to deploy access points and we decided to put port security on our Cisco 3750 switches. We have been using the nodes table to track which switch and port each access point is connected to. When port security is enabled it changes the arp entry from dynamic to static. By default Nedi is set to run the command 'show mac address-table dynamic', this will then exclude any port that has port security enabled.  I found that changing the command to just 'show mac address-table' will not work because of all the extra addresses that show up and it brings the discovery process to a crawl. Through trial and error, I believe that I have found a solution that will work.

On Nedi 1.0.7 in file <nedi_dir>/inc/libcli-iopty.pm

line 174
old = $cmd{'IOS'}{'dfwd'} = 'show mac address-table dynamic';
new = $cmd{'IOS'}{'dfwd'} = 'sh mac address-table | inc ....\.....\.....';
**This allows Nedi to see all mac addresses but shows only the lines that actually include an address

line 613
old = if ($l =~ /\s+(dynamic|forward|secure(dynamic|sticky))\s+/i){
new = if ($l =~ /\s+(dynamic|static|forward|secure(dynamic|sticky))\s+/i){
**static needed to be added so it didn't purge those line from the mac table.

I have run several discoveries, both manual and scheduled, and has cleared up several issues. Discovery times are about the same as they were before and I have not found any negative side effects to making these changes.

If anyone sees any errors in my logic, please let me know so corrections can be made and hopefully others will find this to be beneficial.
Title: Re: Node discovery issues with static MAC address-table entries
Post by: raider82 on July 11, 2012, 04:18:37 PM
You need to enable port-security in NeDi as well.
nedi.conf:
#============================================================================
# Nodes Related
#============================================================================

# Read MAC address tables from switches:
# dyn  = Dynamic forwarding on supported devices
# sec  = Read Port Security entries in addition
# snmp = Use SNMP only (will be used as fallback as well)
getfwd          sec

-> change from
getfwd          dyn
to
getfwd          sec

This should solve your issues.
Title: Re: Node discovery issues with static MAC address-table entries
Post by: ntmark on July 23, 2012, 11:22:37 PM
arh mah god.
Thanks Raider for pointing out port-secuirty option.
I'd completely missed that and been running nedi for almsot 2 years...... le sigh.

maybe this will fix a few other issues I haven't got around to fixing....
Title: Re: Node discovery issues with static MAC address-table entries
Post by: pc_sg on July 24, 2012, 02:58:35 PM
I don't know why, but I've tried to use
getfwd          sec
instead of
getfwd          dyn
(because description says "sec  = Read Port Security entries in addition" so I deduced that also dynamic forwarding is done), but I've missed updates on nodes status (i.e. node last time view remained freezed in the past).

Is it my mistake?

Title: Re: Node discovery issues with static MAC address-table entries
Post by: raider82 on August 27, 2012, 04:25:58 PM
but I've missed updates on nodes status (i.e. node last time view remained freezed in the past).
Best thing is to run ./nedi.pl -v -t <IP of device> -B -U nedi.conf > logfile

In logfile, you can check what happened.

It could happen that NeDi was not able to login, because a user was changed, Tacacs was down, somebody used "#" in the banner, etc. Hard to say without debugging it.
Title: Re: Node discovery issues with static MAC address-table entries
Post by: pc_sg on August 28, 2012, 12:16:05 PM
Hi Rader82!

NeDi seems always able to login, username are not changed, we don't use TACACS, all banner are similar if not identical, because I'm the master administrator of switches.

Anyway, currently is not a real problem, I'll continue using "dyn".

I'll check this again when 1.0.8 become avaliable.

Thanks!
Title: Re: Node discovery issues with static MAC address-table entries
Post by: colejv on October 08, 2012, 05:23:01 PM
I've made basically the same changes as well, due to dot1x authenticated hosts being static in the mac address-table on most of my switches (3750's,3500's,6500's(4500's seem to be the exception))

$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router';

if ($l =~ /\s+(dynamic|static|forward|secure(dynamic|sticky))\s+/i){

Title: Re: Node discovery issues with static MAC address-table entries
Post by: rickli on October 11, 2012, 11:38:50 PM
Thanks to all of you! Now which solution should I include? What is in those many lines we'd like to avoid?
Title: Re: Node discovery issues with static MAC address-table entries
Post by: colejv on October 12, 2012, 07:07:00 PM
I was just avoiding things like the following entries (which are identical mac address entries for every vlan on every 6500 series switch I have)

*  669  3333.0000.0001    static  Yes          -   Switch
*  668  3333.0000.0001    static  Yes          -   Switch
*  667  3333.0000.0001    static  Yes          -   Switch

The earlier suggested cmd/pattern does eliminate multiline entries like (but so does the later match on "static") 

*  401  3333.0000.000d    static  Yes          -   Gi1/3,Gi1/4,Gi1/6,Gi1/7
                                                   Gi1/9,Gi1/10,Gi1/12,Gi1/15
                                                   Gi1/16,Gi2/1,Gi2/2,Gi2/3




Title: Re: Node discovery issues with static MAC address-table entries
Post by: rickli on October 12, 2012, 10:12:39 PM
I like anything that avoids unnecessary data being transmitted (especially in large amounts). So I'll modify this behavior for IOS (leave IOS-old as is for an alternative). This way the getfwd does not be changed anymore and even may disappear from the config...

I'm wondering about the entry I have for Netgear, though. It seems to have the appropriate commands in there, but is not reading any address lines. Is anybody using those things?  :)
Title: Re: Node discovery issues with static MAC address-table entries
Post by: colejv on October 15, 2012, 05:15:52 PM
In the spirit of transmitting less how about

"show mac address-table | e CPU|Switch|Router|/.*,"

Title: Re: Node discovery issues with static MAC address-table entries
Post by: rickli on October 15, 2012, 07:11:24 PM
I assume this is for those multiline entries? What are they anyway?
Title: Re: Node discovery issues with static MAC address-table entries
Post by: colejv on October 16, 2012, 02:25:15 PM
IPv6's all-nodes multicast, 1 entry for every vlan with all active interfaces listed
Title: Re: Node discovery issues with static MAC address-table entries
Post by: rickli on October 17, 2012, 09:04:23 PM
ugh, ok added tx!
Title: Re: Node discovery issues with static MAC address-table entries
Post by: colejv on November 15, 2012, 10:24:17 PM
You missed the trailing comma (in 1.08 309), which causes it not to work at all

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*';                              # tx colejv


Should be

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*,';                              # tx colejv
Title: Re: Node discovery issues with static MAC address-table entries
Post by: rickli on November 15, 2012, 10:30:59 PM
Bummer, added tx!
Title: Re: Node discovery issues with static MAC address-table entries
Post by: ntmark on December 10, 2012, 10:08:11 PM
You missed the trailing comma (in 1.08 309), which causes it not to work at all

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*';                              # tx colejv


Should be

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*,';                              # tx colejv

Ha, thanks for this I was wondering why mine wasn't finding nodes. they are being excluded because all ports match /.*
Going to update with that comma and run again. :)

Mark.