Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
10
Helpful
1
Replies

Cisco ISE MAC based TCP dump Filter.

Go to solution
MD SHAHNAWAZ
Beginner
Beginner

‎02-20-2023 11:05 PM

Hi All,

is there any possibility to setup TCP filter on ISE  using mac address of endpoint, 

because There is only option to use is IP based tcp dump.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-21-2023 06:18 AM

hello @ MD SHAHNAWAZ , as per the ISE capabilities , it can be used the IP address or even hostnames during the packet captures the following are examples of expressions you can use from https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_troubleshooting.html#ID785 

  • ip host 10.77.122.123

  • ip host ISE123

  • ip host 10.77.122.123 and not 10.77.122.119

If you want to see specifically interactions from a given mac address , what you can do is to generate an endpoint debug on ISE , this is enabled in the menu Operations>Troubleshoot>Diagnostic Tools> Endpoint debug , please look for more information here https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_maintain_monitor.html?bookSearch=true#concept_8D61FC5FFEEE4902AFFD0EC98621779D 

Let me know if that helped you. 

View solution in original post

1 Reply 1

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-21-2023 06:18 AM

hello @ MD SHAHNAWAZ , as per the ISE capabilities , it can be used the IP address or even hostnames during the packet captures the following are examples of expressions you can use from https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_troubleshooting.html#ID785 

  • ip host 10.77.122.123

  • ip host ISE123

  • ip host 10.77.122.123 and not 10.77.122.119

If you want to see specifically interactions from a given mac address , what you can do is to generate an endpoint debug on ISE , this is enabled in the menu Operations>Troubleshoot>Diagnostic Tools> Endpoint debug , please look for more information here https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_maintain_monitor.html?bookSearch=true#concept_8D61FC5FFEEE4902AFFD0EC98621779D 

Let me know if that helped you. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents