03-18-2014 03:17 PM - edited 03-10-2019 09:33 PM
Hi all,
The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).
Can anyone explain? Thanks.
Solved! Go to Solution.
08-10-2018 04:44 AM
Just seeing this post for first time and likely resolved, but to bring closure for anyone else asking same...
DHCP Snooping is a switch security feature that adds benefits independent of ISE and helps to ensure trust in the DHCP client and server communications. It is also foundational to other switch security features. Specific to ISE, DHCP Snooping is cited as a prerequisite for the Device Sensor feature which allows switch/controller to capture local DHCP traffic, parse key option attributes, and publish those to ISE as av-pairs in RADIUS Accounting Update packets. Device Sensor can do the same for other types of locally learned endpoint data such as CDP/LLDP, HTTP User Agents, mDNS, H323, SIP, etc.
Specific to dACLs, the switch needs to learn the IP address for the client to instantiate source IP address substitution in the per-user ACL. This IP binding to MAC can be learned via IP Device Tracking or DHCP Snooping.
03-19-2014 10:19 AM
This command helps for ISE to profile endpoints
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html#wp1132818
03-19-2014 01:25 PM
Thanks for the reply, Vattulu.
Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.
Googling around I found this article/section:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679
which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.
Still digging, I would like to understand this. Thanks for your help.
08-10-2018 04:44 AM
Just seeing this post for first time and likely resolved, but to bring closure for anyone else asking same...
DHCP Snooping is a switch security feature that adds benefits independent of ISE and helps to ensure trust in the DHCP client and server communications. It is also foundational to other switch security features. Specific to ISE, DHCP Snooping is cited as a prerequisite for the Device Sensor feature which allows switch/controller to capture local DHCP traffic, parse key option attributes, and publish those to ISE as av-pairs in RADIUS Accounting Update packets. Device Sensor can do the same for other types of locally learned endpoint data such as CDP/LLDP, HTTP User Agents, mDNS, H323, SIP, etc.
Specific to dACLs, the switch needs to learn the IP address for the client to instantiate source IP address substitution in the per-user ACL. This IP binding to MAC can be learned via IP Device Tracking or DHCP Snooping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide