3.1.10.2.27. snmpQuarantine

The snmpQuarantine plugin, combined with a correct switch configuration (enabling it in all ports that want to be used with the plugin), allows OpenNAC to communicate with the switch via SNMP to quarantine the port where the quarantined user has been connected. A tag will be added to the user device indicating the switch and port that have been quarantined (SQP_<SWITCH>_<PORT>) and another one to the network device indicating the port that has been quarantined, the MAC that triggered the quarantine and its original VLAN (SQP_<MACADDRESS>_<PORT>_<VLAN>).

../../../../_images/snmpquarantine.png


The switch must have the general SNMP configuration, and each port that we want to use with the plugin should be configured to use SNMP and with the correct access VLAN. In this example the port 2 will be used with the VLAN number 100, and the switch configured is a Cisco 2960.

configure terminal
        snmp-server community public RO
        snmp-server community private RW
        snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
        snmp-server enable traps mac-notification change move threshold
        snmp-server host 10.10.36.254 version 2c public
        interface FastEthernet0/2
                switchport access vlan 100
                snmp trap mac-notification change added
                snmp trap mac-notification change removed
end
        mac-address-table notification
end

The global configuration can also be done in ON CMDB -> Network Devices in the Disconnection settings module.

For this plugin execution we need to configure a Quarantine policy in ON NAC -> Policies as the following:

../../../../_images/snmpquarantine2.png


In the Precondition: User Devices we will put the devices where we want to execute the plugin. We can also use another precondition depending of the use case. Then we need to configure the Quarantine VLAN and the snmpQuarantine plugin on Postconditions.

To quarantine a device manually we need to go to ON NAC -> Business profiles and press the Quarantine option for the user or network device we want.

../../../../_images/snmpquarantine3.png


If a user device is in quarantine it will have the SQP_<SWITCH>_<PORT> tag, SQP_<SWITCH>_02 in this case, and if a network device is in quarantine it will have the SQP_<SWITCH>_<PORT>_<VLAN> tag, SQP_<SWITCH>_02_100 in this case.