CDP and LLDP config on NADs troubleshooting

Da ICS16 · ‎08-08-2024

Dear Community,

There have some MAB profiling are using CDP/LLDP protocol.

On NADs the LLDP is configured to get the attribute from endpoints.

If we disabled the current LLDP, is there any impact with all MAB profiling?

Do we have any possible PROBE to reconfigure instead?

Thanks for your commend and supporting.

Note: Cisco switch 9200, multi kind of printer model, IP phone model..........

Thanks,

Rob Ingram · ‎08-08-2024

@Da ICS16 are you using device sensor on the 9200 switches? This will gather the LLDP and CDP, DHCP information to forward to ISE to be used for profiling the connected endpoints. If you disable LLDP then the switch won't gather that information and ISE won't learn the information either, so will therefore not have all the information to profile the endpoints.

Refer to the device sensor section of the ISE guide - https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

I would leave lldp enabled and configure device sensor as per the guide.

Arne Bier · ‎08-08-2024

Sounds like you're being asked to disable LLDP (possible because of security concerns) ? I have seen customers disable LLDP and CDP on their intranet, and I think it's a shame when that happens. CDP and LLDP on the inside of the network is a great assistance in so many ways. But if you must disable it, then the next best thing to help your profiling is DHCP. Device Sensor (or ip helper) can get that client data to ISE and printers and phones have a decent enough DHCP client that will supply reliable and detailed data to make profiling accurate. I often see engineers using static IPs instead of DHCP (for various reasons ... laziness ... unfounded fears ... etc) - but endpoint devices using static IPs is another blocker for easy profiling.