Hi,
I have a quick question. Can ISE (PSN) gather IP-to-MAC address bindings using its own local ARP table if it is directly connected (L2 adjacent or same VLAN/subnet) to end-points it is scanning with NMAP, hence avoid having configuring switches and probes for profiling?
If that can happen could customers use this as an alternative design if they don’t want to configure any commands for ISE probes on switches?
I have read the below from the ISE Profiling Design Guide – not sure I have interpreted this correctly hence my question to you. Can we view the local ARP cache of a PSN node by the way?
""" START """"
- NMAP is based on a known IP address. If the NMAP probe collects attributes for an endpoint but cannot correlate that to a specific MAC address, that data is discarded. If the Policy Service node is on the same segment as the endpoint it is scanning, it can learn the IP-to-MAC address binding from its local ARP cache and add the endpoint directly into the Internal Endpoints database. Consequently, it is required to learn the IP-to-MAC address binding via another probe prior to collecting NMAP probe data. Probes that can be used to provide this information include the following:
- RADIUS (via Framed-IP-Address)
- DHCP (via dhcp-requested-address)
- SNMP Query (via SNMP polling)
"""" END '""""
Kind Regards,
Kostas
