Question

OneFabric Connect updates VM's IP addresses to Null in ExtremeConnect

  • 2 August 2019
  • 3 replies
  • 95 views

Userlevel 4
  • Participator
  • 123 replies
Hi guys,

I'm working on a lab using ExtremeConnect with VCenter and ExtremeControl.

The MAC auth is enabled on the EXOS switch (with XML-notification and IDMgr working fine). When the VM is authenticated, it shows all info correctly (ex: IP Address is resolved and shown) on ExtremeControl ES, but the OneFabric still updating the ES information and re-setting the VM IP address to null.

The VMWare VM's are correctly auto-added to the Servers NAC ES Group.

In the following example, the 10.xx.xx.252 is the XMC Server and 10.xx.xx.251 is the ExtremeControl Appliance.



I've already tried to mess with the VMWARE module on Connect Configuration.

Any ideas?

Best regards,

-Leo

3 replies

Userlevel 3
Hi Leo,

when you say "I've already tried to mess with the VMWARE module on Connect Configuration." do you mean you properly configured and enabled that Connect module? Can you set its log level to DEBUG, wait for the next cycle (by default this should occur within a minute or two) and share your server.log?

Thanks
Kurt
Userlevel 4
Hi Kurt,

Let's "start from the end", because I ran some new tests and got it working, but I don't know about the implications of my new config:

Maybe I've found where the issue is triggered: I've set the "EndSystems Events" on the VMWare Module to FALSE and now I don't have any OneFabric event on ExtremeControl setting the VM IP address to Null after the Control event resolving the IP address! Working like a charm!

What do you think about it? What functions should I loose if I keed the ES Events disabled on this module?

Follows a link to 2 server logs with the ES EVENTS set to TRUE and FALSE: ESEVENT-TRUE-server.log and ESEVENT-FALSE-server.log :

Download Server Logs Here

Now let's get back to the settings BEFORE the latest test described above (just to not loose what I've already written prior to the test):

In the VMWARE module I've included some info, which is correctly updated on the VM notes field on VCenter and on the Custom1 field on Control, but no lucky.

Follows attached some screenshots of my config. Trying to make it work (show the VM's IP address on Control) I've "messed" with the following attributes (with no lucky, but the Custom1 field on Control and Notes on VMWare got Updated). All other settings were left in the Default values:

code:
"Module Enabled"= "True"

"Default EndSyste group" = "Servers"

"Use network name as endsystem group" = "False"

" EndSystem Events" = "True" (I think here the issue lies...)

" Policy Domain" = "SecureIT"

"Hypervisor Import" = "True"

"Enable import of Management MACs" = "True"

"Format of the Incoming Data" = "vmName=#cfg_name#;vmGuestFullName=#cfg_guestFullName#;vmUuid=#cfg_uuid#;vmIpAddress=#info_ipAddress#"

"Outgoing format data"= "[#IpAddress#] [#MacAddress#] connects to [#SwitchIP#:#InterfaceName#] with [#Policy#] for [#Reason#] of [#NacProfileName#]"

"Custom attributes data format" = "NMS-SwitchAndPort=[#SwitchIP#]:[#InterfaceName#] NMS-Policy=[#Policy#] NMS-NacProfile=[#NacProfileName#] IpAddress=[#vmIpAddress#]" (also tried NMS-IpAddress)


I've noticed the in the Connect EndSystems tab, the Control Module shows the MAC and IP Addresses of ALL VMs, but the VMWARE Module only shows the MACs:



Best regards,

-Leo
Userlevel 3
Hi Leo,

I see you have solved your problem yourself - nice work!

Some background on the issue you have seen: as long as you have the ES Events feature disabled, the VMWare module will only update the end-system's IP in NAC if it has that info. If not (this is the case for you) it will simply leave it up to Extreme Control to set the IP. And Extreme Control learns the IP based on the MAC authentication and IP resolution from your data center access switch (I assume it is polling it from the switch via SNMP).

But, as soon as you enable the ES Events feature, the VMWare module will try to update a bunch of fields on that end-system (including its IP) with whatever values it knows about. In your case, the VMWare module doesn't have an end-system IP so it sets it to null. This is basically overwriting the data that NAC retrieved from the switch.

The main reason for using the ES Events feature is for cases where you cannot / don't want to enable MAC auth on your DC switches but still want to see your VMs in NAC. This will generate end-systems in your NAC ES list without the need for any RADIUS authentication from those VMs.

Kurt

Reply