03-17-2023 02:58 AM
Hi all;
Does anyone have any experience on enabling and using Device Sensor on vIOSL2 images?
Thanks
Solved! Go to Solution.
03-20-2023 12:54 AM
In theory, if the Session exists on the interface and the port is Authorized, then RADIUS Accounting Interim-Updates should flow - and I don't see that with the L2 IOSv image. It has its limitations. And seems that nobody from Cisco is updating this image - I have the latest Image because I also have an CML account. I think Cisco needs to update this image to support device-sensor updates,
03-19-2023 01:31 PM - edited 03-19-2023 02:26 PM
Hi
Yes it works.
I connected two IOSvL2 switches together and enabled the following:
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor accounting
device-sensor notify all-changes
Total cdp entries displayed : 1
switch1#show devi
switch1#show device-sensor c
switch1#show device-sensor cache A
switch1#show device-sensor cache All
Device: 0c4b.d59b.0006 on port GigabitEthernet1/1
--------------------------------------------------
Proto Type:Name Len Value
CDP 4:capabilities-type 8 00 04 00 08 00 00 00 29
CDP 2:address-type 8 00 02 00 08 00 00 00 00
CDP 6:platform-type 10 00 06 00 0A 43 69 73 63 6F 20
CDP 5:version-type 240 00 05 00 F0 43 69 73 63 6F 20 49 4F 53 20 53 6F
66 74 77 61 72 65 2C 20 76 69 6F 73 5F 6C 32 20
53 6F 66 74 77 61 72 65 20 28 76 69 6F 73 5F 6C
32 2D 41 44 56 45 4E 54 45 52 50 52 49 53 45 4B
39 2D 4D 29 2C 20 45 78 70 65 72 69 6D 65 6E 74
61 6C 20 56 65 72 73 69 6F 6E 20 31 35 2E 32 28
32 30 32 30 30 39 32 34 3A 32 31 35 32 34 30 29
20 5B 73 77 65 69 63 6B 67 65 2D 73 65 70 32 34
2D 32 30 32 30 2D 6C 32 69 6F 6C 2D 72 65 6C 65
switch1#SHOW VER
Cisco IOS Software, vios_l2 Software (vios_l2-ADVENTERPRISEK9-M), Experimental Version 15.2(20200924:215240) [sweickge-sep24-2020-l2iol-release 135]
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 29-Sep-20 11:53 by sweickge
ROM: Bootstrap program is IOSv
switch1 uptime is 6 minutes
System returned to ROM by reload
System image file is "flash0:/vios_l2-adventerprisek9-m"
Last reload reason: Unknown reason
Remember that with DHCP, you must enable DHCP snooping or DHCP Gleaning for the device sensor to cache anything.
I connected a GNS3 VPCS (PC emulator) to one of the interfaces in VLAN 10 and issued a DHCP discovery on the VPCS.
switch1#show device-sensor cache int gi 1/3
Device: 0050.7966.6800 on port GigabitEthernet1/3
--------------------------------------------------
Proto Type:Name Len Value
DHCP 61:client-identifier 9 3D 07 01 00 50 79 66 68 00
DHCP 12:host-name 8 0C 06 41 72 6E 65 50 43
The DHCP config was simple
ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping
03-19-2023 10:38 PM
Thanks for your reply;
My concern is about sending these gathered information to ISE through RADIUS Accounting messages. Do you have any successful experience here?
03-20-2023 12:32 AM - edited 03-20-2023 12:34 AM
Hi,
In order to have device sensor work for you via accounting which is sent to ISE, that endpoint MAC has to be somehow authenticated/authorized by ISE.
You will not have any accounting messages sent to ISE if you don't have any authentication/authorization for that specific endpoint.
BR,
Octavian
03-20-2023 02:50 AM
03-20-2023 06:50 AM
Hi,
Sorry, my assumption was that device-sensor is not working and that's all :))
Regarding IOL, IOSv or whatever you like to call it, I can confirm the behaviour you and Arne experienced.
In the last two weeks I've bumped my head using different IOL/IOSv images (some official - CML - different versions - some unofficial) trying to:
- configure cts dot1x / NDAC - not working (command available)
- configure cts manual - not working (command available)
- configure dot1x - works
- configure MAB - works only if authentication control-direction in is present or authentication open is present
- configure SXP - works
- configure SGACL - env-data ok, enforcement/SGACL - no predictable behavior
Overall, the behavior is not consistent and things that simply work using a hardware switch refuse to work on IOL L2 or start to work only after a reboot but not all the time.
BR,
Octavian
03-20-2023 12:54 AM
In theory, if the Session exists on the interface and the port is Authorized, then RADIUS Accounting Interim-Updates should flow - and I don't see that with the L2 IOSv image. It has its limitations. And seems that nobody from Cisco is updating this image - I have the latest Image because I also have an CML account. I think Cisco needs to update this image to support device-sensor updates,
03-20-2023 02:52 AM
Thanks for your reply;
Yes. You are right. IOSvL2 has many limitations and as you said, seems that nobody updating it.
03-20-2023 04:14 AM - edited 03-20-2023 04:23 AM
I just remembered. The CML folks are working on a replacement for L2 emulation. It will be a Catalyst9k image. The problem though is that it’s a beast. Needs 18GB of RAM. I have not tried it. But I think that will be Cisco’s answer.
CAT 9000V - Cisco Modeling Labs 2.5 - Document - Cisco Developer
03-20-2023 02:13 PM
@Octavian Szolga - sounds like you are preparing for an exam
Switch#show ver
Cisco IOS XE Software, Version 17.10.01prd7
Cisco IOS Software [Dublin], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.10.1prd7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 21-Sep-22 22:33 by mcpre
03-22-2023 12:27 AM
Hi Arne,
You're right. I'm labbing different scenarios/technologies and since ASA is virtual and one can test almost everything related to ASA including HA and clustering, the same for FTD/FMC and routers, I expected IOS L2/IOL L2 to support more than just basic L2 services.
After all, it's easier to have all devices inside the same virtual environment (CML/EVE) and just click click links in order to connect them all toghether than to define a separate VM, assign that to port-group on ESXi that belongs to a vswitch and map that to a dedicated server vmnic that further connects to a physical switch just to correctly implement 802.1x and MAB.
I clearly understand that some features are performed in hardware by ASIC or whatever other specialized component, but this doesn't seem to be a concern for other products that have a software equivalent with a significat lower throughput, but after all you care about testing the feature not using it in a production environment
Thank you for the update regarding C9000V!
BR,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide