cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

493
Views
0
Helpful
3
Replies

DHCP Snooping for Device Senor Profiling

Good morning experts,

I have a question in regards to DHCP snooping as I understand this feature must be enabled for the Device Classifier.  So here we go...

We have a couple of branch locations that utilize a router-on-a-stick design.  Basically we have an ISR with a couple of stack switches behind the ISR.  Our SVI's live/reside on the stack switches.  Do we still need to enable dhcp snooping on the access ports?  If so, do we need to enabled dhcp snooping trust on the uplinks?  What affect does this have if we do not enable DHCP snooping on the access ports.

Normally, this isn't a problem since must of our campuses do not follow this model as we do utilize DHCP snooping on our access ports. 

Just trying to piece all of this together for a future deployment.

Thanks a million!

-Robert

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: DHCP Snooping for Device Senor Profiling

The DHCP Snooping binding table is used by the IP Device Tracking (IPDT) feature on the switch to map the MAC address to the IP address and keep the mapping current. If you do not enable DHCP Snooping (both globally and on all relevant VLANs), then the switch cannot track the IP address associated with the endpoint MAC address.

This will result in no IP address being seen in the 'show access-session interface gigx/y details' output on the switch (assuming IBNS 2.0 syntax) as well as no IP address shown in the live logs or reporting in ISE (since the switch cannot include this in the RADIUS messages).

Yes, you will need to enable dhcp snooping trust on the uplinks toward the DHCP servers.

- Regards

Greg

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Re: DHCP Snooping for Device Senor Profiling

The DHCP Snooping binding table is used by the IP Device Tracking (IPDT) feature on the switch to map the MAC address to the IP address and keep the mapping current. If you do not enable DHCP Snooping (both globally and on all relevant VLANs), then the switch cannot track the IP address associated with the endpoint MAC address.

This will result in no IP address being seen in the 'show access-session interface gigx/y details' output on the switch (assuming IBNS 2.0 syntax) as well as no IP address shown in the live logs or reporting in ISE (since the switch cannot include this in the RADIUS messages).

Yes, you will need to enable dhcp snooping trust on the uplinks toward the DHCP servers.

- Regards

Greg

View solution in original post

Highlighted

Re: DHCP Snooping for Device Senor Profiling

*you will need to enable dhcp snooping trust on the uplinks toward the DHCP servers*

That's the key and that's what I wanted to confirm.

Thank you very much Gregory and appreciate the timely reply!

-Robert

Highlighted
Advocate

Re: DHCP Snooping for Device Senor Profiling

Note that it is worth testing without DHCP Snooping.  Although listed as a requirement, it does depend on the switch version, I have often been able to get Sensor working without Snooping.