Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2056
Views
2
Helpful
4
Replies

Limit ISE profiling by network subnets

trcolber
Cisco Employee
Cisco Employee

‎02-01-2016 02:19 PM

I am working a case where cx would like to exclude specific IP subnets on his network from being profiled because the SNMP scans are causing sensitive control devices to lock up and reset. Currently, the switches that these devices are connected to are not configured to use ISE as an authentication server. But, since ISE has network reachability to the device via other network devices on the network, it is still profiling and causing the SNMP scans on these endpoints. Cx has temporarily disabled SNMP as a probe for now, but needs a solution and I am not aware that we can exclude specific subnets from being profiled. Is there any workaround for this issue? Any assistance is gladly appreciated.

0 Helpful
4 Replies 4

howon
Cisco Employee
Cisco Employee

‎02-02-2016 07:43 AM

Tremesha, ISE SNMP probe doesn't interact with endpoints, rather it works with NAD (Network Access Devices) to retrieve CDP, LLDP, and ARP table information. The probe that scans endpoint is NMAP probe which can be disabled from the probe screen under deployment.  NMAP is only form of active profiling (Where ISE actually sends out packets to the endpoint), so should address customer's issue by disabling it.

Disabling probe activity per subnet is not possible. However depending on the probe type you can control which subnet to use profiling or not. For instance DHCP probe can be disabled for certain subnet by not sending DHCP (Using 'ip helper' command) to the ISE from specific SVI.

Hosuk

trcolber
Cisco Employee
Cisco Employee
In response to howon

‎02-02-2016 11:48 AM

Hi Hosuk,

Thank you for the response. So the only option is to disable NMAP probe to prevent profiling on the endpoints? It is interesting that customer only disabled SNMP probe and this stopped the scanning as well. I am sure that asking customers to disable probes to prevent profiling on endpoints should not be a final solution, since many customers use NMAP to profile printers and other devices on their network. Do you think this is a feature that could be added to limit the scope of ISE profiling if an enhancement was filed? Also, it appears that scanning or profiling is done on endpoints connected to switches or NADs that are not even configured to use ISE. Is this expected behavior and does ISE profile any device it has network connectivity to regardless if the NAD is not even configured to use ISE?

Thanks,

Tremesha Colbert

Customer Support Engineer | Cisco TAC AAA

***personal contact information removed by moderator

0 Helpful

howon
Cisco Employee
Cisco Employee
In response to trcolber

‎02-02-2016 12:09 PM

Tremesha, NMAP like any other probe is just one of the probes. In general profiling of an endpoint consists of combining information collected from many different sources. Take printers for instance, in general it is feasible to profile a printer purely based on DHCP request. I suggest looking at the 'EndPointSource' attribute for endpoints to find out how the endpoint was profiled. If SNMP probe was responsible for profiling of the device, that attribute should state so and can be discussed if it can be disabled. For feature request I suggest contacting PM team for further assistance.

If an endpoint was discovered on ISE even though the NAD that they are on was not configured on ISE, there can be many possibilities, but to investigate you should look at the 'EndPointSource' attribute to find out which probe was responsible for finding it. For instance, even though you would not add dist/core switches to ISE, the SVI may be configured to forward DHCP requests to ISE. Also, if SNMP was configured and ISE learns of the IP/MAC mapping, then it could trigger NMAP to gain more information about the endpoint.

If toggling SNMP probe is making difference, one another thing that you could try is to enable it with 'Polling Interval' set to 0 seconds under each of the NADs. This will get ISE to use SNMP probe just for triggered profiling to get CDP/LLDP information and not for other use such as ARP table scavenging.

Hosuk

rhoisington3
Level 1
Level 1

‎03-28-2016 12:51 PM

I have personally disabled SNMP and utilized Cisco IOS Device Sensor and DHCP probes exclusively.  We disable SNMP due to memory leaks in the SNMP service.  We also found that 15.0(2) SE code is more stable.

0 Helpful
Top