ISE Profiling Switch Configuration

InfraISE2020 · ‎10-20-2020

Hi all,

We are looking at implementing ISE profiling and we have a question around DHCP probes/switch configuration.

As you can see from the attached images, we current run DHCP on a windows server and the firewall interface is set to relay to this server. Our understanding is that for DHCP probes to work we need an IP Address Helper configured on an SVI for each VLAN, so on that basis do we set the IP address helper IPs to the firewall interface IP and the ISE server or direct to the windows DHCP server and the ISE server and turn off IP relaying on the firewall?

Thanks in advance.

Mohammed al Baqari · ‎10-20-2020

That is a design question and its really up to you on where to set them.
SVIs are good to do this however you need to allow dhcp communication on
the firewall. Otherwise put the relay on the firewall and no need for
additional rules.

I suggest to try device sensor in your switches instead of attempting
different probes for profiling as it gives more consolidated information.

**** please remember to rate useful posts

Aref Alsouqi · ‎10-21-2020

I would add another DHCP Relay on the firewall pointing to ISE, that should do the trick.

Peter Koltl · ‎10-22-2020

Don’t.

Device sensor provides DHCP info among others without unscalable relaying.