Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
1
Helpful
2
Replies

CDP and LLDP config on NADs troubleshooting

Da ICS16
Level 1
Level 1

‎08-08-2024 12:49 AM - last edited on ‎08-08-2024 01:03 AM by Cisco Employee

Dear Community,

There have some MAB profiling are using CDP/LLDP protocol.

On NADs the LLDP is configured to get the attribute from endpoints.

If we disabled the current LLDP, is there any impact with all MAB profiling? 

Do we have any possible PROBE to reconfigure instead?

Thanks for your commend and supporting.

Note: Cisco switch 9200, multi kind of printer model, IP phone model..........

Thanks,

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎08-08-2024 01:32 AM

@Da ICS16 are you using device sensor on the 9200 switches? This will gather the LLDP and CDP, DHCP information to forward to ISE to be used for profiling the connected endpoints. If you disable LLDP then the switch won't gather that information and ISE won't learn the information either, so will therefore not have all the information to profile the endpoints.

Refer to the device sensor section of the ISE guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

I would leave lldp enabled and configure device sensor as per the guide.

 

Arne Bier
VIP
VIP

‎08-08-2024 02:04 PM

Sounds like you're being asked to disable LLDP (possible because of security concerns) ?  I have seen customers disable LLDP and CDP on their intranet, and I think it's a shame when that happens. CDP and LLDP on the inside of the network is a great assistance in so many ways. But if you must disable it, then the next best thing to help your profiling is DHCP. Device Sensor (or ip helper) can get that client data to ISE and printers and phones have a decent enough DHCP client that will supply reliable and detailed data to make profiling accurate. I often see engineers using static IPs instead of DHCP (for various reasons ... laziness ... unfounded fears ... etc) - but endpoint devices using static IPs is another blocker for easy profiling.  

0 Helpful
Customers Also Viewed These Support Documents