When a host is on the network, FortiNAC needs to know that the host has connected or disconnected and what that host's IP address and MAC address are.
FortiNAC can learn this information in several ways including:
Link up/link down traps sent by the switch
MAC learned traps sent by the switch with the MAC address
Polling network devices
See SNMP trap support for a list of currently supported traps.
If a device on the network supports link up and link down traps, you should enable this feature and configure the device to send traps to the IP address of the FortiNAC Server or FortiNAC Control Server. As soon as the device is modeled in FortiNAC, FortiNAC listens for traps from that device. When FortiNAC receives a Linkup trap, it polls the switch to read the available host information. If FortiNAC does not receive information from the device after the first poll, it retries up to seven times.
Polling triggered by traps is configured from System > Settings > Network Device. The Minimum Trap Period (Sec) field controls the number of seconds FortiNAC waits after receiving a linkup trap before reading the forwarding table from the switch associated with the trap. The default is 10 seconds. The Max Number of Trap Periods field controls the number of periods FortiNAC waits before reading the forwarding table on the switch. The default setting for this field is 4. The number of retries is not configurable. See Network device.
If you use link up traps, the process for learning that the host is connected and its MAC address and IP address is as follows:
- A host connects to a switch.
- The switch sends a link up trap to FortiNAC.
- Assuming that the Minimum Trap Period is set to 10 seconds and the Max Number of Periods is set to 4, then FortiNAC waits 40 seconds to read the forwarding table on the switch.
- If the host's MAC address is not returned, FortiNAC waits another 40 seconds and reads the forwarding table on the switch again. FortiNAC repeats this process up to seven times until it retrieves the host data.
- If after seven retries the host data is not retrieved, FortiNAC does not try any more until the next scheduled poll for the device.
It is possible for a trap to be sent from the device and not be received by FortiNAC. Therefore, in addition to traps it is important to configure polling intervals in FortiNAC for each of your devices. Configuring polling is particularly important for wireless devices because it is the method used to determine that a host has disconnected from the wireless device. See L2 polling and L3 polling.
MAC Learned or MAC Notification Traps are traps that send host information when the host connects or disconnects alleviating the need for FortiNAC to poll. These traps are only supported on some devices, such as Cisco switches. If MAC Notification traps are available and supported by FortiNAC for the device, it is beneficial to enable them and reduce network traffic created by frequent polling. To use MAC Notification Traps they must be enabled on the device and configured to be sent to the IP address of the FortiNAC Server or Control Server and the device must be modeled in FortiNAC.
If you enable MAC Notification or MAC Learned traps on a device, you should disable Link Up and Link Down traps. They are redundant, cause additional traffic and prevent the MAC Learned event messages from being generated on FortiNAC.
If MAC Notification traps configured on Cisco devices are not being processed, verify the following:The SNMP user credentials entered in FortiNAC are for a User who is a member of a SNMP Group on the device. That the SNMP Group is configured with the contexts the group needs to access. Below is an example from a running configuration on a Cisco device:
snmp-server group testv3 v3 auth write view2
snmp-server group testv3 v3 auth context vlan-35
snmp-server group testv3 v3 auth context vlan-85
FortiNAC has a built in polling mechanism that compensates for missed traps or devices that are not configured to send traps by reading tables on network devices and retrieving host information. There are two types of polling used to gather host information:
- Layer 2 (L2) polling - FortiNAC reads the network device's MAC address table. This provides FortiNAC with the host's MAC address, switch and port location on the network.
- Layer 3 (L3) polling - Applies to Layer 3 network devices only. FortiNAC reads the network device's ARP table. This provides FortiNAC with the IP address that corresponds to the host's MAC address.
Polling information is stored for each device individually including: Enable/Disable Polling, Polling Interval, Last Successful Poll Time and Last Attempted Poll Time. For L3 devices Polling Priority is also stored.
Using the polling interval and the Last Successful Poll information stored for the device, FortiNAC polls devices individually. For example if device A has a polling interval of 15 minutes and a Last Successful Poll time of 10:15, then the next poll happens at 10:30 regardless of when other devices are being polled. The Last Successful Poll Time is updated any time the device is read, including using the Poll Now option or when a trap triggers FortiNAC to read the device. Updating Last Successful Poll Time for each contact with the device prevents unnecessary polling.
The Polling interval on devices is set initially based on device media type (wired or wireless). When network devices are discovered, they are analyzed and placed in groups. L2 devices are automatically placed in either the L2 Wired Devices or L2 Wireless groups. The default polling interval is 10 minutes for wireless devices and one hour for wired devices. Polling on wireless devices is more frequent because it is the only method for determining that a host has disconnected from the wireless device.
A default L3 (IP --> MAC ) group is created by FortiNAC. During discovery this group is not automatically populated. You must add your L3 devices to this group.