Developers guide
Chapter 11
Copyright © 2008-2013 Inverse inc.
Technical introduction
to VLAN enforcement 81
MAC notification traps
If your switches support MAC notification traps (MAC learnt, MAC removed), we suggest that you activate
them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap,
to query the switch continuously until the MAC has finally been learned. When it receives a linkUp trap
for a port on which MAC notification traps are also enabled, it only needs to put the port in the MAC
detection VLAN and can then free the thread. When the switch learns the MAC address of the device it
sends a MAC learnt trap (containing the MAC address) to PacketFence.
Port Security traps
In its most basic form, the Port Security feature remembers the MAC address connected to the switch
port and allows only that MAC address to communicate on that port. If any other MAC address tries to
communicate through the port, port security will not allow it and send a port-security trap.
If your switches support this feature, we strongly recommend to use it rather than linkUp/linkDown and/
or MAC notifications. Why? Because as long as a MAC address is authorized on a port and is the only one
connected, the switch will send no trap whether the device reboots, plugs in or unplugs. This drastically
reduces the SNMP interactions between the switches and PacketFence.
When you enable port security traps you should not enable linkUp/linkDown nor MAC notification traps.