| Description | This article describes how to enable SNMPv3 MAC notification traps when FortiSwitch is operating in FortiLink Mode. |
| Scope | FortiNAC-F, FortiGate, FortiSwitch, FortiLink. |
| Solution |
This article assumes that the FortiGate and FortiSwitch are already onboarded onto the FortiNAC-F.
This article used a FortiGate 91G 7.2.9, FortiSwitch 108F-FPOE 7.4.2 and FortiNAC-F VM 7.4.0 for all configurations and verifications.
FortiGate:
Configure the MAC retention period.
config switch-controller global set mac-retention-period 0 end
Configure a firewall policy that allows SNMP traffic from the FortiSwitch to the FortiNAC-F.
config firewall policy edit <firewall-policy-number> set srcintf fortilink next end
Note that it is not necessary to enable NAT as, when the FortiGate is onboarded onto the FortiNAC-F, the FortiSwitch is also onboarded and added to the FortiNAC-F database. It is possible to enable NAT, but the SNAT'ed IP address must be in the FortiNAC-F database.
Configure a custom command. This custom command reflects the minimum required configuration.
config switch-controller custom-command edit <custom-command-name> set command "config system snmp sysinfo %0a set status enable %0a end %0a config system snmp user %0a edit <snmp-username> %0a set security-level no-auth-no-priv %0a set events l2mac %0a set notify-hosts <fortinac-address-or-range> %0a next %0a end %0a config switch interface %0a edit port1 %0a set log-mac-event enable %0a next %0a end" next end
Note that it is necessary to specify set security-level no-auth-no-priv. Otherwise, the FortiSwitch expects auth-priv credentials as this is the default setting, and the command will partially fail when applied.
It is possible to specify credentials, but consider the following:
It is necessary to specify set notify-hosts <fortinac-address-or-range>. Otherwise, SNMP MAC notification traps are not sent to FortiNAC-F.
It is necessary to use the same SNMP username that was used to onboard the FortiGate onto the FortiNAC. Otherwise, FortiNAC-F ignores the SNMP MAC notification trap when received from FortiSwitch.
This custom command also only applies to one FortiSwitch port: in this instance, port1. However, additional ports can be configured if required. For example:
config switch interface %0a edit port1 %0a set log-mac-event enable %0a next %0a edit <port n> %0a set log-mac-event enable %0a next %0a end
Also note that SNMP commands should not be configured directly on the FortiSwitch as, since FortiOS 6.2.1, when the FortiGate reboots, it clears the SNMP configuration, specifically the SNMP community or SNMP user sections.
Apply the custom command to push the SNMP configuration from the FortiGate to the FortiSwitch.
config switch-controller managed-switch edit <fortiswitch-serial-number> config custom-command edit <name> set command-name <custom-command-name> next end end
Verify that the custom command was successfully applied from the FortiGate to the FortiSwitch:
show system snmp sysinfo show system snmp user show switch interface <port-number>
If the custom command was only partially applied, the command below can be executed.
execute switch-controller custom-command <custom-command-name>
Verify that the SNMP configuration persists by rebooting the FortiGate during a maintenance window.
FortiNAC-F:
Configure SNMP allowed access.
config system interface edit port1 set allowaccess <protocol> snmp <protocol n> next end
Verify that SNMP MAC Notification Traps are successfully received by sniffing the traffic.
execute tcpdump -vi port1 host <fortiswitch-ip-address> and port 162
Connect the endpoint device to the FortiSwitch port.
Disconnect the endpoint device from the FortiSwitch port.
The custom command can be modified to include authentication and privacy protocols and credentials.
config switch-controller custom-command edit <custom-command-name> set command "config system snmp sysinfo %0a set status enable %0a end %0a config system snmp user %0a edit <snmp-username> %0a set events l2mac %0a set notify-hosts <fortinac-address-or-range> %0a set auth-proto <auth-protocol> %0a set auth-pwd <auth-password> %0a set priv-proto <priv-protocol> %0a set priv-pwd <priv-password> %0a next %0a end %0a config switch interface %0a edit port1 %0a set log-mac-event enable %0a next %0a end" next end
Verify that the custom command was successfully applied from the FortiGate to the FortiSwitch.
Verify that SNMP MAC Notification Traps are successfully received when connecting and disconnecting the endpoint device by sniffing the traffic.
|
