cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1429
Views
10
Helpful
1
Replies

Cisco ISE MAC based TCP dump Filter.

MD SHAHNAWAZ
Level 1
Level 1

Hi All,

is there any possibility to setup TCP filter on ISE  using mac address of endpoint, 

because There is only option to use is IP based tcp dump.

1 Accepted Solution

Accepted Solutions

Rodrigo Diaz
Cisco Employee
Cisco Employee

hello @ MD SHAHNAWAZ , as per the ISE capabilities , it can be used the IP address or even hostnames during the packet captures the following are examples of expressions you can use from https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_troubleshooting.html#ID785 

  • ip host 10.77.122.123

  • ip host ISE123

  • ip host 10.77.122.123 and not 10.77.122.119

If you want to see specifically interactions from a given mac address , what you can do is to generate an endpoint debug on ISE , this is enabled in the menu Operations>Troubleshoot>Diagnostic Tools> Endpoint debug , please look for more information here https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_maintain_monitor.html?bookSearch=true#concept_8D61FC5FFEEE4902AFFD0EC98621779D 

Let me know if that helped you. 

View solution in original post

1 Reply 1

Rodrigo Diaz
Cisco Employee
Cisco Employee

hello @ MD SHAHNAWAZ , as per the ISE capabilities , it can be used the IP address or even hostnames during the packet captures the following are examples of expressions you can use from https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_troubleshooting.html#ID785 

  • ip host 10.77.122.123

  • ip host ISE123

  • ip host 10.77.122.123 and not 10.77.122.119

If you want to see specifically interactions from a given mac address , what you can do is to generate an endpoint debug on ISE , this is enabled in the menu Operations>Troubleshoot>Diagnostic Tools> Endpoint debug , please look for more information here https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_maintain_monitor.html?bookSearch=true#concept_8D61FC5FFEEE4902AFFD0EC98621779D 

Let me know if that helped you.