Question about ISE Profiling with Device Sensor

ccole — Mon, 16 Dec 2019 14:57:29 GMT

Hello, I have been looking for confirmation for the following questions.

Background:

Medium ISE deployment

Large number of non 802.1X devices, need to have profiling to classify them.

Switching is a mix of Cat 3750,3850,45xx, (15.X/3.X) a few of the newer Cat 9x (16.X)

DHCP Snooping with Database Agent for DHCP Device Sensor

Is it still common practice to have the Database Agent also configured?

Why I ask is in the all of the configuration examples I have found that have ip dhcp snooping, none have any reference to also having the Database agent configured in case of switch reboot.

Reading over the version documentation (3.x)

To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks.

Only dhcp snooping will be enabled only for Device Sensor so my interpretation is that I don't need the database agent, so if the switch were to reboot the clients will not loss connectivity.

Is that correct?

Thanks in advance

Re: Question about ISE Profiling with Device Sensor

Colby LeMaire — Mon, 16 Dec 2019 15:52:33 GMT

That is correct. In fact, if you are only using DHCP Snooping for DHCP profiling, then you can use the following command:

"ip dhcp snooping glean"

That command will basically use DHCP Snooping only for learning the bindings but will not try to enforce any DHCP Snooping violations.

topic Re: Question about ISE Profiling with Device Sensor in Network Access Control

Question about ISE Profiling with Device Sensor

Re: Question about ISE Profiling with Device Sensor