Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-09-2018 11:26 AM

Article Id 194763

Technical Note: VLANs are switched on the wrong Cisco ports due to ifIndex values changing

Description
After a reboot of the switch, FortiNAC shows incorrect host location information.  VLANs are consequently switched on the wrong ports.

The use of the ifIndex value is required in most switch vendors supported.  The ifIndex value is a unique value that is associated with an interface. This value must remain consistent, otherwise, the appliance can lose track of interfaces.  This can result in the isolation of the switch or registered hosts connected to the switch.   

As of Cisco version 12.1(5)T, Cisco does not persist information in the ifIndex table through a reboot by default.


Methods to Diagnose:

Method 1: In Network Device > Topology, locate the affected host and compare the port number to which it connects in Ports View to the MAC address table of the switch


Method 2: Compare information received in Mac Notification trap to the Ports View

1.  Login to appliance CLI as root. 

2.  Enable debug.  Type
     CampusMgrDebug –name DeviceInterface true

3. Tail output.master and look for MacNotification trap information. Type
     tail -F /bsc/logs/output.master | grep -i CiscoMacNotification | grep -i "<x:x:x:x:x:x>"

4. Connect host to switch

5. Look for message similar to the following:
CiscoMacNotification received for <switch name> <port number> {*host*} operation = ADD vlan = <vlanid> mac = <mac address> dot1dBasePort = <value> ifIndex = <value>  

6.Compare the information in the message to where the host shows connected under the Port View tab for that switch in Topology.
- ifIndex value in log message should match Interface ID in Ports view
- Switch port number should also match

7. Ctrl-C to stop tail

8. Disable debug
CampusMgrDebug –name DeviceInterface false

Scope
Version:  8.x

Solution
WorkaroundRestart management processes on the appliance to learn new mappings.  For CLI instructions, see related KB article below.


Solution: 
The following command must be added to the Cisco configuration to persist this information through a reboot:
snmp-server ifindex persist

For details on this command, refer to Cisco documentation, such as the following link:
Configuring SNMP IfIndex Persistence
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/ifind...




ID 0665112, 0682406










Related Articles

Technical Note: How to restart processes via CLI

Labels:
779
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.