Welcome, Guest. Please login or register.

Author Topic: Node discovery issues with static MAC address-table entries  (Read 9591 times)

ruehlb

  • Newbie
  • *
  • Posts: 16
    • View Profile
This issue appeared once we started to deploy access points and we decided to put port security on our Cisco 3750 switches. We have been using the nodes table to track which switch and port each access point is connected to. When port security is enabled it changes the arp entry from dynamic to static. By default Nedi is set to run the command 'show mac address-table dynamic', this will then exclude any port that has port security enabled.  I found that changing the command to just 'show mac address-table' will not work because of all the extra addresses that show up and it brings the discovery process to a crawl. Through trial and error, I believe that I have found a solution that will work.

On Nedi 1.0.7 in file <nedi_dir>/inc/libcli-iopty.pm

line 174
old = $cmd{'IOS'}{'dfwd'} = 'show mac address-table dynamic';
new = $cmd{'IOS'}{'dfwd'} = 'sh mac address-table | inc ....\.....\.....';
**This allows Nedi to see all mac addresses but shows only the lines that actually include an address

line 613
old = if ($l =~ /\s+(dynamic|forward|secure(dynamic|sticky))\s+/i){
new = if ($l =~ /\s+(dynamic|static|forward|secure(dynamic|sticky))\s+/i){
**static needed to be added so it didn't purge those line from the mac table.

I have run several discoveries, both manual and scheduled, and has cleared up several issues. Discovery times are about the same as they were before and I have not found any negative side effects to making these changes.

If anyone sees any errors in my logic, please let me know so corrections can be made and hopefully others will find this to be beneficial.

raider82

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Node discovery issues with static MAC address-table entries
« Reply #1 on: July 11, 2012, 04:18:37 PM »
You need to enable port-security in NeDi as well.
nedi.conf:
#============================================================================
# Nodes Related
#============================================================================

# Read MAC address tables from switches:
# dyn  = Dynamic forwarding on supported devices
# sec  = Read Port Security entries in addition
# snmp = Use SNMP only (will be used as fallback as well)
getfwd          sec

-> change from
getfwd          dyn
to
getfwd          sec

This should solve your issues.

ntmark

  • Full Member
  • ***
  • Posts: 136
    • View Profile
    • tvnz.co.nz
Re: Node discovery issues with static MAC address-table entries
« Reply #2 on: July 23, 2012, 11:22:37 PM »
arh mah god.
Thanks Raider for pointing out port-secuirty option.
I'd completely missed that and been running nedi for almsot 2 years...... le sigh.

maybe this will fix a few other issues I haven't got around to fixing....

pc_sg

  • Sr. Member
  • ****
  • Posts: 271
    • View Profile
Re: Node discovery issues with static MAC address-table entries
« Reply #3 on: July 24, 2012, 02:58:35 PM »
I don't know why, but I've tried to use
getfwd          sec
instead of
getfwd          dyn
(because description says "sec  = Read Port Security entries in addition" so I deduced that also dynamic forwarding is done), but I've missed updates on nodes status (i.e. node last time view remained freezed in the past).

Is it my mistake?


raider82

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Node discovery issues with static MAC address-table entries
« Reply #4 on: August 27, 2012, 04:25:58 PM »
but I've missed updates on nodes status (i.e. node last time view remained freezed in the past).
Best thing is to run ./nedi.pl -v -t <IP of device> -B -U nedi.conf > logfile

In logfile, you can check what happened.

It could happen that NeDi was not able to login, because a user was changed, Tacacs was down, somebody used "#" in the banner, etc. Hard to say without debugging it.

pc_sg

  • Sr. Member
  • ****
  • Posts: 271
    • View Profile
Re: Node discovery issues with static MAC address-table entries
« Reply #5 on: August 28, 2012, 12:16:05 PM »
Hi Rader82!

NeDi seems always able to login, username are not changed, we don't use TACACS, all banner are similar if not identical, because I'm the master administrator of switches.

Anyway, currently is not a real problem, I'll continue using "dyn".

I'll check this again when 1.0.8 become avaliable.

Thanks!

colejv

  • Guest
Re: Node discovery issues with static MAC address-table entries
« Reply #6 on: October 08, 2012, 05:23:01 PM »
I've made basically the same changes as well, due to dot1x authenticated hosts being static in the mac address-table on most of my switches (3750's,3500's,6500's(4500's seem to be the exception))

$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router';

if ($l =~ /\s+(dynamic|static|forward|secure(dynamic|sticky))\s+/i){


rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Node discovery issues with static MAC address-table entries
« Reply #7 on: October 11, 2012, 11:38:50 PM »
Thanks to all of you! Now which solution should I include? What is in those many lines we'd like to avoid?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

colejv

  • Guest
Re: Node discovery issues with static MAC address-table entries
« Reply #8 on: October 12, 2012, 07:07:00 PM »
I was just avoiding things like the following entries (which are identical mac address entries for every vlan on every 6500 series switch I have)

*  669  3333.0000.0001    static  Yes          -   Switch
*  668  3333.0000.0001    static  Yes          -   Switch
*  667  3333.0000.0001    static  Yes          -   Switch

The earlier suggested cmd/pattern does eliminate multiline entries like (but so does the later match on "static") 

*  401  3333.0000.000d    static  Yes          -   Gi1/3,Gi1/4,Gi1/6,Gi1/7
                                                   Gi1/9,Gi1/10,Gi1/12,Gi1/15
                                                   Gi1/16,Gi2/1,Gi2/2,Gi2/3





rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Node discovery issues with static MAC address-table entries
« Reply #9 on: October 12, 2012, 10:12:39 PM »
I like anything that avoids unnecessary data being transmitted (especially in large amounts). So I'll modify this behavior for IOS (leave IOS-old as is for an alternative). This way the getfwd does not be changed anymore and even may disappear from the config...

I'm wondering about the entry I have for Netgear, though. It seems to have the appropriate commands in there, but is not reading any address lines. Is anybody using those things?  :)
« Last Edit: October 12, 2012, 11:21:21 PM by rickli »
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

colejv

  • Guest
Re: Node discovery issues with static MAC address-table entries
« Reply #10 on: October 15, 2012, 05:15:52 PM »
In the spirit of transmitting less how about

"show mac address-table | e CPU|Switch|Router|/.*,"


rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Node discovery issues with static MAC address-table entries
« Reply #11 on: October 15, 2012, 07:11:24 PM »
I assume this is for those multiline entries? What are they anyway?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

colejv

  • Guest
Re: Node discovery issues with static MAC address-table entries
« Reply #12 on: October 16, 2012, 02:25:15 PM »
IPv6's all-nodes multicast, 1 entry for every vlan with all active interfaces listed

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Node discovery issues with static MAC address-table entries
« Reply #13 on: October 17, 2012, 09:04:23 PM »
ugh, ok added tx!
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

colejv

  • Guest
Re: Node discovery issues with static MAC address-table entries
« Reply #14 on: November 15, 2012, 10:24:17 PM »
You missed the trailing comma (in 1.08 309), which causes it not to work at all

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*';                              # tx colejv


Should be

Code: [Select]
$cmd{'IOS'}{'dfwd'} = 'show mac address-table | e CPU|Switch|Router|/.*,';                              # tx colejv