3.1.10.2.27. snmpQuarantine

The snmpQuarantine plugin, combined with a correct switch configuration (enabling it in all ports that want to be used with the plugin), allows OpenNAC to communicate with the switch via SNMP to quarantine the port where the quarantined user has been connected. A tag will be added to the user device indicating the switch and port that have been quarantined (SQP_<SWITCH>_<PORT>) and another one to the network device indicating the port that has been quarantined, the MAC that triggered the quarantine and its original VLAN (SQP_<MACADDRESS>_<PORT>_<VLAN>).

../../../../_images/snmpquarantine.png


3.1.10.2.27.1. Switch configuration

To use the snmpQuarantine plugin, ensure that the switch is properly configured with general SNMP settings. Additionally, each port intended for use with the plugin must be configured to support SNMP and assigned the correct VLAN.

In this example, port 2 on a Cisco 2960 switch will be configured to use VLAN 100:

configure terminal
        snmp-server community public RO
        snmp-server community private RW
        snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
        snmp-server enable traps mac-notification change move threshold
        snmp-server host 10.10.36.254 version 2c public
        interface FastEthernet0/2
                switchport access vlan 100
                snmp trap mac-notification change added
                snmp trap mac-notification change removed
end
        mac-address-table notification
end

The global configuration for SNMP Quarantine can also be managed within the ON CMDB > Network Devices section under the Disconnection settings module.

../../../../_images/networkdevices_disconnectionsettings.png


3.1.10.2.27.2. Quarantine Policy

To ensure the plugin functions correctly, it is essential to configure a Quarantine Policy in the ON NAC > Policies section. The policy should be structured as follows:

../../../../_images/snmpquarantine2.png


  • Precondition: User Devices: Specify the devices where you want to execute the plugin. You can also use other preconditions depending on the use case.

  • Postconditions: Configure the Quarantine VLAN and the snmpQuarantine plugin.

To manually quarantine a device, navigate to ON NAC > Business profiles and select the Quarantine option for the user or network device you wish to quarantine.

../../../../_images/snmpquarantine3.png


3.1.10.2.27.3. SNMP Quarantine Tag

The plugin will assign the SQP (SNMP QUARANTINE PLUGIN) tag to devices put in quarantine.

  • If a user device is in quarantine, it will have the SQP_<SWITCH>_<PORT> tag, (e.g., SQP_<SWITCH>_02 in this case).

  • If a network device is in quarantine it will have the SQP_<SWITCH>_<PORT>_<VLAN> tag, (e.g., SQP_<SWITCH>_02_100 in this case).