topic Re: Device Sensor Filter Lists and MUD Profling in Network Access Control

Device Sensor Filter Lists and MUD Profling

Damien Miller — Thu, 27 Jun 2019 18:39:40 GMT

I was looking to play with MUD using some existing switches already configured for ISE. So being as new as it is, that meant going to the RFC. https://tools.ietf.org/id/draft-ietf-opsawg-mud-09.html

It looks like we cannot use device sensor filter lists if we also want to use MUD. I've seen some pretty ugly issues when device sensor filter lists are missing, and I always thought it was best practice to use them. The RFC indicates that that TLV 127 (vendor specific) is what the MUD URL is sent with, seems like that might have been a bad number?

IOS-XE 16.6.6

3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.

What would be the best way to address this so we can leverage it once moving to 2.6?

Re: Device Sensor Filter Lists and MUD Profling

hslai — Sat, 29 Jun 2019 20:19:57 GMT

The beta test plan shows IOS-XE 16.9.1 FCS2 used. Please try that while I am checking with the SMEs.

Re: Device Sensor Filter Lists and MUD Profling

Damien Miller — Sat, 29 Jun 2019 22:31:39 GMT

At least with 16.9.3a the results are the same. I could test again on 16.9.1, but I suspect this configuration will be identical.

Just to clarify too, I'm only testing configuration at this point. I am making the assumption that if I cannot add "tlv number 127" to my LLDP filter list, then the switch will not forward it. I suspect it works fine if we don't enable device sensor filtering, but that goes against what we would want since device sensor can be very spammy without it.

Re: Device Sensor Filter Lists and MUD Profling

hslai — Sun, 30 Jun 2019 02:03:18 GMT

Even though the test plan not adding this tlv number 127 to the LLDP filter-list, the expected result shows it. So...

3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.

most likely means it's always available in the filter.

Re: Device Sensor Filter Lists and MUD Profling

hslai — Fri, 05 Jul 2019 22:04:23 GMT

I got a confirmation that 127 is always there in the LLDP filter list and not configurable.

Re: Device Sensor Filter Lists and MUD Profling

Damien Miller — Sun, 07 Jul 2019 05:50:18 GMT

Just to confirm then, tlv 127 will always be sent to ISE even if we don't have it explicitly configured? I find it a bit confusing because the filter lists are reversed since we are telling it what to include, and it comes up with the message of "hard filtered".

Thanks for clarifying and looking in to it.

Re: Device Sensor Filter Lists and MUD Profling

hslai — Sun, 07 Jul 2019 23:28:49 GMT

Yes, that is the case. Below is the LLDP filter list used in the test plan:

device-sensor filter-list lldp list lldp-list
 tlv name end-of-lldpdu
 tlv name chassis-id
 tlv name port-id
 tlv name time-to-live
 tlv name port-description
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
 tlv name management-address

Re: Device Sensor Filter Lists and MUD Profling

Damien Miller — Mon, 08 Jul 2019 00:50:19 GMT

Thanks for looking in to this.