Solved: Re: Device Sensor Filter Lists and MUD Profling

Damien Miller · ‎06-27-2019

I was looking to play with MUD using some existing switches already configured for ISE. So being as new as it is, that meant going to the RFC. https://tools.ietf.org/id/draft-ietf-opsawg-mud-09.html

It looks like we cannot use device sensor filter lists if we also want to use MUD. I've seen some pretty ugly issues when device sensor filter lists are missing, and I always thought it was best practice to use them. The RFC indicates that that TLV 127 (vendor specific) is what the MUD URL is sent with, seems like that might have been a bad number?

IOS-XE 16.6.6

3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.

What would be the best way to address this so we can leverage it once moving to 2.6?

hslai · ‎07-05-2019

I got a confirmation that 127 is always there in the LLDP filter list and not configurable.

View solution in original post

hslai · ‎06-29-2019

The beta test plan shows IOS-XE 16.9.1 FCS2 used. Please try that while I am checking with the SMEs.

Damien Miller · ‎06-29-2019

At least with 16.9.3a the results are the same. I could test again on 16.9.1, but I suspect this configuration will be identical.

Just to clarify too, I'm only testing configuration at this point. I am making the assumption that if I cannot add "tlv number 127" to my LLDP filter list, then the switch will not forward it. I suspect it works fine if we don't enable device sensor filtering, but that goes against what we would want since device sensor can be very spammy without it.

hslai · ‎06-29-2019

Even though the test plan not adding this tlv number 127 to the LLDP filter-list, the expected result shows it. So...

3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.

most likely means it's always available in the filter.

hslai · ‎07-05-2019

I got a confirmation that 127 is always there in the LLDP filter list and not configurable.

Damien Miller · ‎07-06-2019

Just to confirm then, tlv 127 will always be sent to ISE even if we don't have it explicitly configured? I find it a bit confusing because the filter lists are reversed since we are telling it what to include, and it comes up with the message of "hard filtered".

Thanks for clarifying and looking in to it.

hslai · ‎07-07-2019

Yes, that is the case. Below is the LLDP filter list used in the test plan:

device-sensor filter-list lldp list lldp-list
 tlv name end-of-lldpdu
 tlv name chassis-id
 tlv name port-id
 tlv name time-to-live
 tlv name port-description
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
 tlv name management-address

Damien Miller · ‎07-07-2019

Thanks for looking in to this.