Solved: Re: How long does Cisco ISE takes to update the IP Address of Endpoint

Ravi D · ‎05-16-2023

Hello,

I had updated the Identity Group Assignment of an Endpoint Statically from one Vlan to another Vlan. I can see the Endpoint has got a new IP Address from new Vlan. Also i can see the change from Switch side too, port for which this Endpoint is connected is showing the new Vlan. But Cisco ISE Endpoint still shows the IP Address from old Vlan.

Thanks

Ravi

Arne Bier · ‎05-17-2023

Hi Ravi,

Purpose of device tracking is to keep track of endpoints (MAC addresses) that the switch learns via DHCP or ARP probes. It's a very handy mechanism. its main purpose is to aid in security (MAC address stealing and MAC address movement within the switch). I mostly use it to confirm/check the IP address of the endpoint.

So you might already have some basic device-sensor enabled. I have included my standard configuration below - it covers DHCP/LLDP/CDP device sensor - and don't forget to configure the aaa accounting commands to send this stuff to ISE.

Here is my winning recipe for all of this - assuming you're on a recent version of IOS-XE (e.g. 16.9 +) - there might be small differences here and there:

aaa accounting update newinfo periodic 1440
aaa accounting identity default start-stop group <<your-radius-group-name>>

!! Add the VLANs below that have DHCP enabled
ip dhcp snooping vlan 1000,1001,1002
no ip dhcp snooping information option
ip dhcp snooping
!
device-sensor filter-list dhcp list TLV-DHCP
 option name host-name
 option name default-ip-ttl
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
ip dhcp snooping vlan 1000-1010,1200-1210
no ip dhcp snooping information option
ip dhcp snooping

device-sensor filter-spec dhcp include list TLV-DHCP
!
device-sensor filter-list cdp list TLV-CDP
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name platform-type
 tlv number 34
!
device-sensor filter-spec cdp include list TLV-CDP
!
device-sensor filter-list lldp list TLV-LLDP
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor notify all-changes
access-session attributes filter-list list sensor_list
 cdp
 lldp
 dhcp
 http
access-session accounting attributes filter-spec include list sensor_list
!
device-tracking policy IPDT_POLICY
 no protocol dhcp6
 no protocol ndp
 security-level glean
 tracking enable
device-tracking logging theft
device-tracking tracking auto-source
!
no access-session mac-move deny
!
device-tracking policy IPDT_TRUNK
 trusted-port
 device-role switch
!!!!!!  Attach to all trunk interfaces with:    device-tracking attach-policy IPDT_TRUNK

!

interface GigabitEthernet1/0/1
 description All Trunk interfaces must have the DT-TRUNK policy
 switchport mode trunk
 device-tracking attach-policy DT-TRUNK
 ip dhcp snooping trust
 
interface GigabitEthernet1/0/6
 description User Port
 switchport access vlan 1000
 switchport mode access
 switchport voice vlan 1200
 device-tracking attach-policy IPDT_POLICY
 load-interval 30
 dot1x timeout tx-period 10
 source template 802.1X_TEMPLATE
 spanning-tree portfast

View solution in original post

Ravi D · ‎05-16-2023

Thanks Brandon. Do you have any idea about the time it takes to sync ?

Arne Bier · ‎05-17-2023

Have you configured Device-Tracking on the switch? If the Device-Tracking has learned the new IP address of the endpoint, then I would have thought the switch would send a RADIUS Interim Accounting Update to ISE, containing that IP address. But the switch might only do that if it learns the IP address via DHCP (DHCP Snooping enabled) and Device-Sensor.

Bottom line: ensure you have Device-Tracking and Device-Sensor enabled - check the device-tracking database and the device-sensor cache for that interface

show device-tracking database int Gix/y/z
show device-sensor cache int Gix/y/z

The RADIUS Interim Accounting updates must be configured also. Great guide here.

The switch sends this data to ISE as soon as it learns new endpoint information from the endpoint - there is no "sync" - it's near real-time.

Ravi D · ‎05-17-2023

I dont think we have device tracking enabled. When i searched for the config i see the below:

sw-so2cr-1#sh run | i device
no device-tracking logging theft

But i see the below output for device sensor for that interface.
sw-so2cr-1#sh device-sensor cache int G 6/0/2
Device: 80e8.2c0d.a0f0 on port GigabitEthernet6/0/2
----------------------------------------------------------------------------
Proto Type:Name Len Value Text
LLDP 0:end-of-lldpdu 2 00 00 ..
LLDP 127:organizationally-specific 9 FE 07 00 12 BB 01 00 01 01 .........
LLDP 3:time-to-live 4 06 02 0E 11 ....
LLDP 2:port-id 9 04 07 03 80 E8 2C 0D A0 F0 ...^@h,..p
LLDP 1:chassis-id 9 02 07 04 80 E8 2C 0D A0 F0 ...^@h,..p

So, basically the purpose of device tracking is to send a RADIUS Interim Accounting Update to ISE about the the new IP address of the endpoint it learnt on that interface ?

Additionally, Do we need to make any configuration changes on ISE to get this updated ?

Arne Bier · ‎05-17-2023

Hi Ravi,

Purpose of device tracking is to keep track of endpoints (MAC addresses) that the switch learns via DHCP or ARP probes. It's a very handy mechanism. its main purpose is to aid in security (MAC address stealing and MAC address movement within the switch). I mostly use it to confirm/check the IP address of the endpoint.

So you might already have some basic device-sensor enabled. I have included my standard configuration below - it covers DHCP/LLDP/CDP device sensor - and don't forget to configure the aaa accounting commands to send this stuff to ISE.

Here is my winning recipe for all of this - assuming you're on a recent version of IOS-XE (e.g. 16.9 +) - there might be small differences here and there:

aaa accounting update newinfo periodic 1440
aaa accounting identity default start-stop group <<your-radius-group-name>>

!! Add the VLANs below that have DHCP enabled
ip dhcp snooping vlan 1000,1001,1002
no ip dhcp snooping information option
ip dhcp snooping
!
device-sensor filter-list dhcp list TLV-DHCP
 option name host-name
 option name default-ip-ttl
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
ip dhcp snooping vlan 1000-1010,1200-1210
no ip dhcp snooping information option
ip dhcp snooping

device-sensor filter-spec dhcp include list TLV-DHCP
!
device-sensor filter-list cdp list TLV-CDP
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name platform-type
 tlv number 34
!
device-sensor filter-spec cdp include list TLV-CDP
!
device-sensor filter-list lldp list TLV-LLDP
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
!
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor notify all-changes
access-session attributes filter-list list sensor_list
 cdp
 lldp
 dhcp
 http
access-session accounting attributes filter-spec include list sensor_list
!
device-tracking policy IPDT_POLICY
 no protocol dhcp6
 no protocol ndp
 security-level glean
 tracking enable
device-tracking logging theft
device-tracking tracking auto-source
!
no access-session mac-move deny
!
device-tracking policy IPDT_TRUNK
 trusted-port
 device-role switch
!!!!!!  Attach to all trunk interfaces with:    device-tracking attach-policy IPDT_TRUNK

!

interface GigabitEthernet1/0/1
 description All Trunk interfaces must have the DT-TRUNK policy
 switchport mode trunk
 device-tracking attach-policy DT-TRUNK
 ip dhcp snooping trust
 
interface GigabitEthernet1/0/6
 description User Port
 switchport access vlan 1000
 switchport mode access
 switchport voice vlan 1200
 device-tracking attach-policy IPDT_POLICY
 load-interval 30
 dot1x timeout tx-period 10
 source template 802.1X_TEMPLATE
 spanning-tree portfast