06-27-2019 11:39 AM
I was looking to play with MUD using some existing switches already configured for ISE. So being as new as it is, that meant going to the RFC. https://tools.ietf.org/id/draft-ietf-opsawg-mud-09.html
It looks like we cannot use device sensor filter lists if we also want to use MUD. I've seen some pretty ugly issues when device sensor filter lists are missing, and I always thought it was best practice to use them. The RFC indicates that that TLV 127 (vendor specific) is what the MUD URL is sent with, seems like that might have been a bad number?
IOS-XE 16.6.6
3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.
What would be the best way to address this so we can leverage it once moving to 2.6?
Solved! Go to Solution.
07-05-2019 03:04 PM
I got a confirmation that 127 is always there in the LLDP filter list and not configurable.
06-29-2019 01:06 PM - edited 06-29-2019 01:19 PM
The beta test plan shows IOS-XE 16.9.1 FCS2 used. Please try that while I am checking with the SMEs.
06-29-2019 03:30 PM - edited 06-29-2019 03:31 PM
At least with 16.9.3a the results are the same. I could test again on 16.9.1, but I suspect this configuration will be identical.
Just to clarify too, I'm only testing configuration at this point. I am making the assumption that if I cannot add "tlv number 127" to my LLDP filter list, then the switch will not forward it. I suspect it works fine if we don't enable device sensor filtering, but that goes against what we would want since device sensor can be very spammy without it.
06-29-2019 04:00 PM - edited 06-29-2019 07:03 PM
Even though the test plan not adding this tlv number 127 to the LLDP filter-list, the expected result shows it. So...
3850(config)#device-sensor filter-list lldp list lldp-list
3850(config-sensor-lldplist)#tlv name system-description
3850(config-sensor-lldplist)#tlv number 127
LLDP tlv 127 is hard filtered, hence cannot be configured.
most likely means it's always available in the filter.
07-05-2019 03:04 PM
I got a confirmation that 127 is always there in the LLDP filter list and not configurable.
07-06-2019 10:50 PM
07-07-2019 04:28 PM
Yes, that is the case. Below is the LLDP filter list used in the test plan:
device-sensor filter-list lldp list lldp-list tlv name end-of-lldpdu tlv name chassis-id tlv name port-id tlv name time-to-live tlv name port-description tlv name system-name tlv name system-description tlv name system-capabilities tlv name management-address
07-07-2019 05:50 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide