netpass-users

[Netpass-users] Cisco Support

[Don R. <don...@em...>]

I would be interested in any comments on Cisco switch support.  
Looking the the Cisco.pm module it would appear that:

- add_vlan_membership sets ONLY VLAN assigned to port (hence  
del_vlan...not needed)
- get_vlan_membership returns present assignment
- other, "generic" OID information calls are implemented

- set_default_vlan_id not used
- del_vlan_membership not used
- get_default_vlan_id can't work (used Nortel OID)

So, can I assume that:
- this Cisco implementation does work?
- the Cisco switches are setup for only 1 VLAN per port, and only the  
uplinks are tagged to pass VLAN info?
- the first three items are the "core" functions required for NetPass  
to work? so if we can get these to work, we're OK?

FYI, we're close to having NetPass up and running on Mac OS X Server,  
and will probably end up using SMC switches at the edge -- once the  
device module is completed.

Thanks...

Regards,
Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

Re: [Netpass-users] Cisco Support

[Julian Y. K. <ko...@no...>]

-----BEGIN PGP SIGNED MESSAGE-----

At 09:31 -0400 06/10/2005, Don Rugh wrote:
>So, can I assume that:
>- this Cisco implementation does work?

That is correct.  We at Northwestern have been using NetPass since last
fall with Cisco 3524/3548XL switches as well as 3550 switches.  There's
currently a wrinkle involved in that the XL-series switches have a
different ifindex scheme than the 3550s.  On a 3550, Fa0/10 = ifindex 10.
On a 3524/3548XL, Fa0/10 = ifindex 11.  So in the netpass.conf file, you
need to make this adjustment depending on the type of switch you have.

Cisco.pm could likely be improved to detect model number and adjust the
ifindex accordingly, so you would only have to specify the port number in
the conf file.

>- the Cisco switches are setup for only 1 VLAN per port, and only the
>uplinks are tagged to pass VLAN info?

Correct.

>- the first three items are the "core" functions required for NetPass to
>work? so if we can get these to work, we're OK?

Yep.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQEVAwUBQqmKJi5elU+tqml1AQHq6AgAw+/Hbut1sfs86DidPiSv6ubQv2YX3NW/
xhkyONN61jbPHG0HM0hov227d+D9dlTFyBuVMG/lP/66oDSLFB5PSlp6A0ERn10c
auONqTgIC1NvJHaDOA844+rasGziBjgbi3IijUxkd9HEWWSP/T6G9tA+Fuo8NhFR
tG7jkXAGjaLVor8KQb51az0x7EbOtGBEjt723bQSB9fzdC2qqE2WggXlLgsBLt1k
tK6reXMLMoxj9NFThRGxe5LLCcYFh85a0JDYuS651+nP674rlhiww/5fAezdK1dP
VgARB2nKhL5dgkRshhPpcwzVlU0SAnNyvH2UdUmuCh/w87AueY2adg==
=sFE2
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:ko...@no...>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

Re: [Netpass-users] Cisco Support

[jeff m. <jcm...@os...>]

On Fri, 2005-06-10 at 09:31 -0400, Don Rugh wrote:
> I would be interested in any comments on Cisco switch support. Looking
> the the Cisco.pm module it would appear that:
> 
> 
> - add_vlan_membership sets ONLY VLAN assigned to port (hence
> del_vlan...not needed)
> - get_vlan_membership returns present assignment
> - other, "generic" OID information calls are implemented
> 
> 
> - set_default_vlan_id not used
> - del_vlan_membership not used
> - get_default_vlan_id can't work (used Nortel OID)
> 
> 
> So, can I assume that:
> - this Cisco implementation does work?

the cisco module works. ideally, the above routines would be fully
implemented per the comments at the top of each routine. obviously they
are not for the cisco module.

the reasoning behind these routines is that, in the future, we expect
that there will be a time when you have a port with VOIP phone plugged
into it and a PC plugged into the phone. many voip architectures have
phones are on a separate vlan from the PC. if your voip architecture has
the phones on the same vlan as the PC, then this feature is moot.

we'd like to be able to quarantine the PC without affecting the phone
(this feature implies that you are trusting that the PC will not emit
tagged packets). the phone is emitting tagged packets.

so we change the default vlan that untagged packets are placed in and
remove membership in the unquarantined data vlan, but leave membership
in other vlans (the voip one) alone.

as it stands now, the cisco module will need some revising, but in the
most basic configuration where each port is a member of only one vlan at
a time, it works.




> - the Cisco switches are setup for only 1 VLAN per port, and only the
> uplinks are tagged to pass VLAN info?

yes

> - the first three items are the "core" functions required for NetPass
> to work? so if we can get these to work, we're OK?
> 

yes