---

@poongarg wrote:

DHCP snooping is needed for a layer 2 switch to process the DHCP data and place it in the device-sensor cache.

I am running:

Catalyst3850-12S using Gibraltar, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, RELEASE SOFTWARE (fc3)

Current Technology Package = ipservicesk9

Smart Licensing Status: UNREGISTERED/EVAL MODE

I boot my endpoint (dell 5070 thinOS), its doing its DHCP Discover over and over looking for someone to serve an ip to it (as witnessed in Wireshark) but no cache entries:

ISEDEVSW(config-if)#do show device-sensor cache all

ISEDEVSW(config-if)# <there is no cache here???>

Yet I run a shut on the port and the debug of my sensor says its deleted the cache which wasn't there to start with.

ISEDEVSW(config-if)#shut

ISEDEVSW(config-if)#

*Apr 23 10:08:54.804: DSENSOR: Deleting device-sensor cache for GigabitEthernet1/0/1

*Apr 23 10:08:54.805: DSENSOR: Deleting device-sensor cache for GigabitEthernet1/0/1

*Apr 23 10:08:54.805: DSENSOR: Deleting device-sensor cache for GigabitEthernet1/0/1

*Apr 23 10:08:54.805: DSENSOR: Deleting device-sensor cache for GigabitEthernet1/0/1

Local classifier sees nothing.

ISEDEVSW(config-if)# do show device classifier attached int gi1/0/1

Summary:

MAC_Address     Port_Id    Profile Name               Device Name

==========================================================================

a4bb.6d1e.f2ff  GigabitEthernet1/0/1 Un-Classified Device         Unknown Device

This is what I have configured - appears that I have snooping enabled:

ip dhcp snooping vlan 2,15

no ip dhcp snooping information option

ip dhcp snooping

login on-success log

My device sensor configuration - researched that device sensor is enabled by default:

device-sensor filter-list dhcp list iseDHCP

 option name host-name

 option name requested-address

 option name parameter-request-list

 option name class-identifier

 option name client-identifier

device-sensor filter-spec dhcp include list iseDHCP

device-sensor notify all-changes

Is there something with my port config which is stopping my device sensor from working?

interface GigabitEthernet1/0/1

 switchport access vlan 2

 switchport mode access

 device-tracking attach-policy IPDT_MAX_10

 dot1x timeout tx-period 7

 dot1x max-reauth-req 3

 source template DefaultWiredDot1xClosedAuth

 spanning-tree portfast

 spanning-tree bpdufilter enable

 spanning-tree bpduguard enable

end

From the configuration output you've shared, it looks like everything is configured correctly on the switch. You have DHCP Snooping, Device-Sensor, and the SISL-based IP Device Tracking configured (and it looks like templates pushed by DNAC).

From your description, it sounds like the endpoint is not successfully getting an IP address. The template you're using is for Closed Mode, so the switch will not allow any traffic except EAP prior to a successful Authorization result from ISE.

If you change the port to Monitor Mode, do you see the endpoint getting an IP address and being profiled? If so, you may have a 'chicken vs. egg' catch-22 where the endpoint can't get an IP because it's not authorized based on profile and it can't get profiled because the switchport is blocking DHCP.

Unless you have a strict compliance/requirement for Closed Mode, I would suggest you consider using Low Impact Mode with a restrictive pre-auth ACL that permits basic protocols like DHCP, DNS, TFTP and denies everything else. The vast majority of customers that I've worked with feel that LIM provides the necessary balance of security vs. user experience.