Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
1
Helpful
8
Replies

ISE profiling - DHCP probe

babalao
Spotlight
Spotlight

‎05-01-2024 05:36 PM

Hello,

to profile devices via DHCP , is it enough to use the device-sensor config for it, or I still need DHCP relay config to forward DHCP packets to ISE?

device-sensor alone ?  or  device-sensor + dhcp relay (ip helper-address)

Thank you.

Regards

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎05-02-2024 12:25 AM

@babalao if you have configured device sensor to gather DHCP probe information you do NOT need the ip helper-address on the SVI.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

0 Helpful

MHM Cisco World
VIP
VIP

‎05-02-2024 12:36 AM

can I see how you config the device sensor 

 

MHM

0 Helpful

babalao
Spotlight
Spotlight

‎05-02-2024 06:45 AM

Thank yor the replies.

I am going to configure this as device-sensor for dhcp:

device-sensor filter-list dhcp list ISE-dhcp
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list ISE-dhcp

@Rob Ingram I read that but I did no get a clear answer...

One could test this and if gets dhcp attributes in endpoints means it is working right?

thank you

davidgfriedman
Level 1
Level 1
In response to babalao

‎05-02-2024 06:56 AM

After filter-spec, don't forget to enable it with, (I think):
device-sensor accounting
device-sensor notify all-changes

0 Helpful

MHM Cisco World
VIP
VIP
In response to babalao

‎05-02-2024 06:56 AM

If you get dhcp attribute in ISE sure you dont need dhcp probe' but I will make double check this case update you tonight 

MHM

0 Helpful

Rob Ingram
VIP
VIP
In response to babalao

‎05-02-2024 07:58 AM

@babalao the DHCP probes (helper-address) provide the following:

RobIngram_0-1714661623948.png

Device sensor will provide the same and does allow you to specify more options to send via the filter list.

So no point enabling both device sensor and helper-adddress to learn the same information.

0 Helpful

PradeepSingh
Level 1
Level 1

‎05-02-2024 11:46 AM

Hi @babalao which model and version of the switch ?  There is a bug which has been registered about 'device-sensor accounting' command. 

https://bst.cisco.com/bugsearch/bug/CSCvd12458?rfs=qvlogin

Interestingly, according to guide ISE Profiling Design Guide - Cisco Community this issue started 16.3.x but all the official cisco configuration guides still mention to use  'device-sensor accounting' which is not available at all in any on Cat 9K platform.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/sec/b_176_sec_9300_cg/m9-sec-176-device-sensor.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/sec/b_176_sec_9300_cg/m9-sec-176-device-sensor.html

In our case device sensor is not sending updates to ISE and we are having a TAC case going on.

 

 

 

0 Helpful

babalao
Spotlight
Spotlight

‎05-03-2024 06:30 AM - edited ‎05-03-2024 11:00 AM

Hello,

yesterday I tried it (with 2 2960x) and in both cases I only get DHCP attributes of the endpoint if I put the helper-address. Device sensor did not get info. I shut/no shut the port several times to make DHCP happen and nothing... maybe device-sensor is slower??

At least in my tests....

Thank you

0 Helpful
Customers Also Viewed These Support Documents