Thanks for the reply. I guess you are Cisco guy, do you know the roadmap for the function on ERS API?

> For reference, what is the use case (what do they plan to do with profile data externally) and which type of database are they looking to integrate (LDAP, SQL, other)?

Thanks. But it may be related to customer's future plan, so it's difficult for me to share the info, sorry.

Sorry.  We do not share roadmap on Community as a public forum.  If customer under NDA, then possible to work with Cisco account team to have discussion on future enhancements.

/C

OK. I'll look for the way to open it. Thanks.

Hi chyps,

I finally tested both 2 items (CLI and EAT), and found CLI command may be suitable with my customer.

BTW with distributed topology, which node should I collect the data?

When "[16]Get all Endpoints" is executed on PAN, does PAN obtain all probe information including non significant attribute from all PSNs? Or do we need to exec the command on all PSNs?

Only need to run against PAN as same config database is replicated to all nodes.  EAT  or CLI tool collects the endpoint data that is stored in Endpoint config database. If whitelist filter enabled, then insignificant attributes not replicated/stored.

When non-significant attribute (like host-name) is updated on a certain PSN in 1 node group, it doesn't trigger global update so PAN will not know the attribute change until some other significant attribute is updated. This is my understanding. Am I right?

And when trying editing attribute on PAN, PAN queries all PSN to get all attributes including whitelist.

So we can see all latest attributes on PAN Web GUI. But I'm not sure PAN know all latest attribute when triggering "[16]Get all Endpoints" .

Can I think we can get all latest attributes when I get the probe data from CLI commands?

* BTW the customer still use blacklist, so whitelist is not activated.

The attributes from ISE database are the same across deployment.  The attributes are pulled from Oracle, not Redis.  Besides, there is a periodic sync of attributes from PSN Redis to PAN. 

I don't know what blacklist is.  I can only infer that you mean attributes not included with the attribute filter enabled.  You will get all attributes.  I recommend you use the tools first so you can see first hand what the output is.  It will likely help address your concerns.

Thanks for the update.

According to some Cisco resources, I only found following description in recent Cisco live PDF, and couldn't find the periodic sync from PSN to PAN.

> Replication to PAN occurs if significant attribute changes, then sync all attributes via PAN;

or

> - Local Persistence for Profiler DB. 

>  -- Only update PAN for Significant Attributes

Could you tell me more detail (ex. frequency or what value) or pointers about the behavior if available?

This was done to address issues where some attributes not in sync but they needed to be for DNS and purge to work as intended. Approximately every 12 hrs, PSNs sync endpoint attributes with Primary PAN.

Related Bug IDs:

CSCuz44971    ISE 1.3 Inconsistent Endpoint inactivity timer causing purge issues

CSCuu60871    Profiler: DNS Reverse Lookup Averted if less than 1 hour

Solution:

Periodically synchronize Oracle with the current endpoint owner's Redis cache so that Oracle information is reasonably up to date. In order for this not to swamp the deployment with replication traffic, period syncs of endpoint data to the PAN will be done without replicating the endpoint to all of the PSNs. The result is that the PAN will have reasonably up-to-date information, while the PSNs will have the same stale endpoint data that they have now. To make sure purging happens with reasonably accurate information, PSNs will fetch endpoint data either from the local cache or from    the PAN. If the endpoint cannot be read from either source, then it will be skipped during that purge cycle.

Thianks for the update. This means PAN can guarantee accurate endpoint information at 12 hours ago, right?

If host-name(non-significant attribute) is changed and learned on owner PSN within 12 hours, PAN cannot know the change.

Is my understanding correct?

And I think that PAN retrieves latest probe information from all PSNs when editing or viewing endpoint probes from PAN GUI. So if latest accurate information is required, we need to open context visibility page on PAN first, then try the CLI "[16]Get all Endpoints". Is it correct?

Hi, We noticed ERS API can collect endpoint data for only 100 device in a query. (default is 20 and max seems 100)

<link rel="related" href="https://172.23.20.212:9060/ers/config/endpoint?page=1&amp;size=200" type="application/xml"/>

  <messages>

  <message type="ERROR" code="Query string validation exception">

  <title>The size parameter '200' is incorrect. Should be positive number between 1 and 100.</title>

Are there similar limit on GUI and CLI?

ERS API can query all via paging. 

The use of paging to control the number of results in a query is common to APIs as well as UIs.  UI provides paging with filtering/sort options.  You would not want to wait for a page containing 1000s of entries to load each time.

There is no CLI for guest application.  There are also bulk API functions for updates/registration/deletion.

Thanks. So can I expect that exporting all endpoints on GUI or "[16]Get all Endpoints" on CLI obtain all endpoint profiling data at once?