Re: [OpenVMPS-devel] Changing VLANs while the host is connected
Brought to you by:
dori_seliskar
Menu
▾
▴
Re: [OpenVMPS-devel] Changing VLANs while the host is connected
|
From: Matthew W. <mw...@ui...> - 2005-11-03 14:46:34
|
We have the same problem. If a vlan is changed, the host would need to
get a new ip before the host could communicate again. We minimalize
impact by reducing our dhcp lease times to a minimum. The reason this
feature is important to us, is we use a vlan to quarantine virus
infected pcs. So if they are caught at our firewall sending malicious
packets, then they are immediately quarantined in a vlan and the
malicious traffic immediately stops.
However, shutting down the port via snmp would also help solve our IP
lease problem. If the port is shutdown for a few seconds and turned
back on, wouldn't that force the PC renew it's dhcp lease? At least
Windows XP would work this way, correct? This could help us avoid the
time between when the vlan changes and when the ip address is renewed
(or pc is restarted).
Also, in 1.3, after the vlan has changed in the config, vmps sends the
DENY message, the switch stops sending a vqp request for that port. So
after the DENY message, I see the same thing you do, Sean....
Thanks!
Matthew
Sean Boran wrote:
>Hi,
>
>Here you are.
>
>the script is below. It also expects some settings in a file config.inc:
> $snmpwalk="/usr/bin/snmpwalk -c mysecret1 "; # SNMP Read community
> $snmpset ="/usr/bin/snmpset -c msecret2"; # SNMP Write community
>
>#!/usr/bin/php -f
><?php
>#
># /opt/vmps/restart_port
>#
># Use SNMP to connect to the Switch, check the port status (up/down), and
># reset the port (set down, then up).
>#
># Example:
># /opt/vmps/restart_port 2/10 sw0503
>#
># 2005.9.30/Sean Boran
>#
>#############################################################
>
>$debug_flag1=true;
>$debug_flag2=false;
>
>$catos=TRUE;
>include_once "funcs.inc"; # Load settings & common functions
>define_syslog_variables(); # not used yet, but anyway..
>openlog("check_port", LOG_PID | LOG_PERROR, LOG_LOCAL5);
>#$snmpwalk="/opt/OV/bin/snmpwalk -c mysecret1 "; # SNMP Read community
>#$snmpset ="/opt/OV/bin/snmpset -c mysecret2"; # SNMP Write community
>
># ------------------ functions ----------------
>function get_switch_type($switch)
>{
> global $snmpwalk, $debug_flag1, $debug_flag2, $catos;
> $found=FALSE;
>
> ## Get all port status and find the one that interests us
> debug2("$snmpwalk $switch system.sysDescr");
> $answer=explode("\n", syscall("$snmpwalk $switch system.sysDescr"));
> for ($j = 0; $j < count($answer); $j++){
> debug2($answer[$j]);
>
> if (preg_match("/Invalid destination/", $answer[$j], $matches)) {
> echo($answer[$j] . " - ABORTED.\n");
> exit(2);
>
> } else if (preg_match("/Timeout: No Response/", $answer[$j],
>$matches)) {
> echo($answer[$j] . " - ABORTED.\n");
> exit(2);
>
> } else if (preg_match("/Internetwork Operating System/", $answer[$j],
>$matches)) {
> $catos=FALSE;
> $found=TRUE;
> debug1('IOS !');
>
> } else if (preg_match("/Catalyst Operating System/", $answer[$j],
>$matches)) {
> $catos=TRUE;
> $found=TRUE;
> debug1('CATOS !');
> }
> }
>
> if (found==FALSE) {
> echo("ABORTED: Could not contact switch, or unknown Switch (neither
>IOS nor CATOS).\n");
> echo($answer[$j]);
> exit(2);
> }
>}
>
>
>function get_port_status($port_index, $switch)
>{
> global $snmpwalk, $debug_flag1, $debug_flag2;
> $result='';
>
> // use index to check port status
> if ($port_index>0 ) {
> debug2("Index=$port_index");
> $mymatch="ifEntry.ifAdminStatus.$port_index : INTEGER:";
>
> ## Get all port status and find the one that interests us
> $stat_list=explode("\n", syscall("$snmpwalk $switch ifAdminStatus"));
>
> for ($j = 0; $j < count($stat_list); $j++){
> #debug1($stat_list[$j]);
> # Invalid smp will give "no MIB objects contained under subtree."
> if (preg_match("/$mymatch (.+)/", $stat_list[$j], $matches)) {
> debug1("STATUS " . $matches[1]);
> $result=$matches[1];
> } // if match
> }
> }
> return $result;
>}
>
>
>
>function restart_port($port_index, $switch)
>{
> global $snmpset, $debug_flag1, $debug_flag2;
> $result='';
>
> // use index to check port status
> if ($port_index>0 ) {
> # Example
> # /opt/OV/bin/snmpset -c MYSECRET SWITCHNAME ifAdminStatus.18 integer 2
>
> $cmd="$snmpset $switch ifAdminStatus.$port_index integer 2"; // down
> $answer=explode("\n", syscall($cmd));
> for ($j = 0; $j < count($answer); $j++){
> debug1($answer[$j]);
> }
> #get_port_status($port_index, $switch);
>
> $cmd="$snmpset $switch ifAdminStatus.$port_index integer 1"; // up
> $answer=explode("\n", syscall($cmd));
> for ($j = 0; $j < count($answer); $j++){
> debug1($answer[$j]);
> }
> #get_port_status($port_index, $switch);
>
> } // if index>0
>
>} // function
>
>
>## ------- main() ---------------------
>if ($argc != 3 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
>{
> echo " Usage: $argv[0] <PORT> <SWITCH>\n";
> echo " Example: $argv[0] Fa0/19 sw0120\n";
> exit(2);
>
>} else {
> $port=$argv[1];
> $switch=$argv[2];
>}
>debug1("Port $port on $switch");
>
>$port = preg_replace('/\//', '\/', $port); # Escape slashes
>if ($catos===TRUE) { $ifquery='ifName'; }
>
>## Go!
>get_switch_type($switch);
>
>// query interface list and split into an array
>$if_list=explode("\n", syscall("$snmpwalk $switch $ifquery"));
>
>for ($i = 0; $i < count($if_list); $i++){
> #debug2($if_list[$i]);
> if (preg_match("/ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifName.(.+) : .*
>$port$/", $if_list[$i], $matches)) {
> debug2($if_list[$i]);
> $port_index=$matches[1];
>
> get_port_status($port_index, $switch);
> restart_port($port_index, $switch);
>
> } // if preg_match interface
>} //for if_list
>
>
>
>?>
>
>
>Regards,
>
>Sean
>
>
>
>
>>-----Original Message-----
>>From: vmp...@li...
>>[mailto:vmp...@li...] On Behalf Of
>>David Smith
>>Sent: jeudi, 3. novembre 2005 09:55
>>To: vmp...@li...
>>Subject: RE: [OpenVMPS-devel] Changing VLANs while the host
>>is connected
>>
>>Would you be able to send the part of the PHP script that
>>shutsdown and
>>restarts the individual port?
>>
>>Thanks
>>Dave
>>System Administrator
>>m/v Africa Mercy
>>Mercy Ships
>>tel: 0191 483 8413 ex 108
>>fax: 0870 460 0764
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: vmp...@li...
>>>[mailto:vmp...@li...] On Behalf Of
>>>Sean Boran
>>>Sent: 03 November 2005 08:41
>>>To: vmp...@li...
>>>Subject: RE: [OpenVMPS-devel] Changing VLANs while the host
>>>is connected
>>>
>>>
>>>
>>>I've a PHP script that shutdown/starts the Switch port via SNMP.
>>>Is that what you mean?
>>>
>>>I've a major problem with hubs though, individualt ports work OK.
>>>
>>>Sean
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: vmp...@li...
>>>>[mailto:vmp...@li...] On Behalf Of
>>>>David Smith
>>>>Sent: jeudi, 3. novembre 2005 09:26
>>>>To: vmp...@li...
>>>>Subject: RE: [OpenVMPS-devel] Changing VLANs while the host
>>>>is connected
>>>>
>>>>How do you deal with a changed vLan? In our system, when we
>>>>change a vLan,
>>>>we also need the client to get a new IP address to continue
>>>>operation. Doing
>>>>a reboot is sufficient for us, how do you tell the switch to
>>>>recheck it's
>>>>ports?
>>>>
>>>>Dave
>>>>System Administrator
>>>>m/v Africa Mercy
>>>>Mercy Ships
>>>>tel: 0191 483 8413 ex 108
>>>>fax: 0870 460 0764
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: vmp...@li...
>>>>>[mailto:vmp...@li...] On Behalf Of
>>>>>Sean Boran
>>>>>Sent: 03 November 2005 07:34
>>>>>To: vmp...@li...
>>>>>Subject: RE: [OpenVMPS-devel] Changing VLANs while the host
>>>>>is connected
>>>>>
>>>>>
>>>>>Hi,
>>>>>
>>>>>I use 1.3 too, but I found that I often have to restart ports
>>>>>to get them to
>>>>>change Vlan. But for me the problem was the switch not
>>>>>
>>>>>
>>>sending a VQP
>>>
>>>
>>>>>request, as opposed to vmpsd giving the wrong answer.
>>>>>
>>>>>Sean
>>>>>
>>>>>
>>>>>
>>>>>>-----Original Message-----
>>>>>>From: vmp...@li...
>>>>>>[mailto:vmp...@li...] On Behalf Of
>>>>>>Matthew Wilson
>>>>>>Sent: mercredi, 2. novembre 2005 20:46
>>>>>>To: vmp...@li...
>>>>>>Subject: [OpenVMPS-devel] Changing VLANs while the host
>>>>>>
>>>>>>
>>>>is connected
>>>>
>>>>
>>>>>>Hello! First off, thanks so much to the writers of OpenVMPS,
>>>>>>we've been
>>>>>>able to do wonderful things with it for the past couple
>>>>>>
>>>>>>
>>>>>years (~2,000
>>>>>
>>>>>
>>>>>>clients).
>>>>>>
>>>>>>We use OpenVMPS to help us quarentine virus infected hosts.
>>>>>>Problem is,
>>>>>>when we find an infected host, change the vlan in the
>>>>>>
>>>>>>
>>>config and
>>>
>>>
>>>>>>reconfirm the switch while the PC is still connected, the
>>>>>>vmps sends a
>>>>>>DENY message. However, if I disconnected the host from the
>>>>>>switch, and
>>>>>>reconnect, it gets the appropriate vlan. This behavior
>>>>>>
>>>>>>
>>>>>only became a
>>>>>
>>>>>
>>>>>>problem when we upgraded from 1.0 to 1.3. In 1.0, the vmps
>>>>>>would send
>>>>>>an ALLOW message along with the correct new vlan.
>>>>>>
>>>>>>Here is my config:
>>>>>>==================================
>>>>>>vmps domain ungoliant
>>>>>>vmps mode open
>>>>>>vmps fallback default
>>>>>>vmps no-domain-req deny
>>>>>>vmps-mac-addrs
>>>>>>address 00d0.b7b3.6516 vlan-name VLAN0103
>>>>>>
>>>>>>Here is the log in v1.3:
>>>>>>==================================
>>>>>>VQP Request
>>>>>>Unknown: 1
>>>>>>Request Type: 3
>>>>>>Response: 0
>>>>>>No. Data Items: 6
>>>>>>Sequence No.: 48
>>>>>>Client IP address: 10.2.1.54
>>>>>>Port name: Fa0/10
>>>>>>Vlan name: VLAN0102
>>>>>>Domain name: Ungoliant
>>>>>>MAC address: 00d0b7b36516
>>>>>>DENY: 00d0b7b36516 -> (null), switch 10.2.1.54 port Fa0/10
>>>>>>
>>>>>>And now the log (using the same config) using v1.0:
>>>>>> ==================================
>>>>>>VQP Request
>>>>>>Unknown: 1
>>>>>>Request Type: 3
>>>>>>Response: 0
>>>>>>No. Data Items: 6
>>>>>>Sequence No.: 40
>>>>>>Client IP address: 10.2.1.54
>>>>>>Port name: Fa0/10
>>>>>>Vlan name: VLAN0102
>>>>>>Domain name: Ungoliant
>>>>>>Vlan name: VLAN0102
>>>>>>MAC address: 00d0b7b36516
>>>>>>ALLOW: 00d0b7b36516 -> VLAN0103, switch 10.2.1.54 port Fa0/10
>>>>>>
>>>>>>
>>>>>>Is this the expected result? I think it's reasonable
>>>>>>that a VLAN could change while a PC is still connected
>>>>>>to the port. Is this configurable?
>>>>>>
>>>>>>Thanks for any help you can give!
>>>>>>Matthew
>>>>>>
>>>>>>
>>>>>>
>>>>>>-------------------------------------------------------
>>>>>>SF.Net email is sponsored by:
>>>>>>Tame your development challenges with Apache's Geronimo App
>>>>>>Server. Download
>>>>>>it for free - -and be entered to win a 42" plasma tv or
>>>>>>
>>>>>>
>>>>>your very own
>>>>>
>>>>>
>>>>>>Sony(tm)PSP. Click here to play:
>>>>>>
>>>>>>
>>>>>http://sourceforge.net/geronimo.php
>>>>>
>>>>>
>>>>>>_______________________________________________
>>>>>>Vmps-devel mailing list
>>>>>>Vmp...@li...
>>>>>>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>-------------------------------------------------------
>>>>>SF.Net email is sponsored by:
>>>>>Tame your development challenges with Apache's Geronimo App
>>>>>Server. Download
>>>>>it for free - -and be entered to win a 42" plasma tv or
>>>>>
>>>>>
>>>>your very own
>>>>
>>>>
>>>>>Sony(tm)PSP. Click here to play:
>>>>>
>>>>>
>>>>http://sourceforge.net/geronimo.php
>>>>
>>>>
>>>>>_______________________________________________
>>>>>Vmps-devel mailing list
>>>>>Vmp...@li...
>>>>>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>>>>>
>>>>>
>>>>>
>>>>
>>>>-------------------------------------------------------
>>>>SF.Net email is sponsored by:
>>>>Tame your development challenges with Apache's Geronimo App
>>>>Server. Download
>>>>it for free - -and be entered to win a 42" plasma tv or
>>>>
>>>>
>>>your very own
>>>
>>>
>>>>Sony(tm)PSP. Click here to play:
>>>>
>>>>
>>>http://sourceforge.net/geronimo.php
>>>
>>>
>>>>_______________________________________________
>>>>Vmps-devel mailing list
>>>>Vmp...@li...
>>>>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>>>>
>>>>
>>>>
>>>
>>>-------------------------------------------------------
>>>SF.Net email is sponsored by:
>>>Tame your development challenges with Apache's Geronimo App
>>>Server. Download
>>>it for free - -and be entered to win a 42" plasma tv or
>>>
>>>
>>your very own
>>
>>
>>>Sony(tm)PSP. Click here to play:
>>>
>>>
>>http://sourceforge.net/geronimo.php
>>
>>
>>>_______________________________________________
>>>Vmps-devel mailing list
>>>Vmp...@li...
>>>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>>>
>>>
>>>
>>
>>-------------------------------------------------------
>>SF.Net email is sponsored by:
>>Tame your development challenges with Apache's Geronimo App
>>Server. Download
>>it for free - -and be entered to win a 42" plasma tv or your very own
>>Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
>>_______________________________________________
>>Vmps-devel mailing list
>>Vmp...@li...
>>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>>
>>
>>
>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by:
>Tame your development challenges with Apache's Geronimo App Server. Download
>it for free - -and be entered to win a 42" plasma tv or your very own
>Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
>_______________________________________________
>Vmps-devel mailing list
>Vmp...@li...
>https://lists.sourceforge.net/lists/listinfo/vmps-devel
>
>
k
|
