购买或续订
购买或续订
取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
搜索替代 
您的意思是: 
cancel
开始对话
695
查看次数
0
有帮助
3
回复

Setting LLDP options using ISE Authorization Profile Advanced Attrib's

netwerkbeheer
Level 1
Level 1

发布时间 ‎04-19-2023 08:04 AM

Hi,

We have ISE 2.7.0.356 patch 9, with most of our switches on Cisco IOS XE Software, Version 16.12.05b, and some newer switches running 17.06.04

For our LAN we would like the option to enable or disable all, or specific LLDP TLV advertisements, depending on what devices authenticates, (or fails to authenticate) on our switch ports.

We don't yet use Profiling, so no incoming LLDP data in our switches is used in our auth. policies. So that is no issue in this case.

Interface Profiles was my first guess to use for this, but I understood LLDP is not supported by the Interface Profile feature(?)

In the Advanced Attributes Settings for Authorization Profiles the following appears when LLDP is entered in the search bar:

LLDP:lldpSystemDescription =

LLDP:lldpTimeToLive =

LLDP:lldpPortDescription =

LLDP:lldpManAddress =

LLDP:lldpCapabilitiesMapSupported =

LLDP:lldpCacheCapabilities =

LLDP:lldpPortId =

LLDP:lldpSystemCapabilitiesMapEnabled =

LLDP:lldpSystemName =

LLDP:lldpChassisId = 

LLDP:cdpCacheAddress =
  • But what do I enter or select there to the right of the "=", in the second column?
    • Enable/ Disable, On/Off, or .... ?

(Under Policy > Policy Elements > Dictionaries > LLDP i hoped to find something, but it says STRING, and nothing else which could be usefull.)

  • Is this even a valid set of Attributes, for use to SET options for LLDP on switchports, or could it be a set of Profiling options that should not even appear in an Authorization Profile? (I ask this in part because all LLDP related ISE search terms only give Profiling-related results.)

If these Advanced Attributes are no option;

  • Is there another way to set LLDP option/ config on switchports using ISE Authorization Profiles?

And, because I spent all day looking for a more in depth document about this, and failing to find one:

  • Is there a Deep-Dive, Advanced, In Depth guide for configuring Authorization Profiles, including of course the options under Advanced Attributes Settings?

 

If anyone knows, please make my day.

Best Regards,

Rick Roersma

0 有帮助
3 条回复3

Arne Bier
VIP
VIP

发布时间 ‎04-23-2023 01:25 PM

Hi @netwerkbeheer  - I understand what you're trying to achieve, but what is the reason you want to do this - is there a requirement by the endpoints to process custom LLDP attributes?  Not sure how this can be done - as far as I understand, the changes in the switch interface should influence what attributes the switch advertises to the endpoint - as opposed to the other way around, where the Device Sensor processes the attributes, it hears from endpoints.

Do you want the ability to selectively NOT return certain attributes, or do you want to have the ability to set the values of those attributes?  Have you tried creating a named template on the switch? Does it accept LLDP commands in the template? If yes, then try returning that template to an endpoint and see if the config accepts it (show derived-config interface xyz)

I don't know about the LLDP Dictionary - I would assume that this is used by ISE to process the Device Sensor data it receives from the switch as part of the Device Sensor (profiling).

0 有帮助

netwerkbeheer
Level 1
Level 1
回复 Arne Bier

发布时间 ‎06-08-2023 03:50 AM

Thanks for your reply!

What we are looking for is the ability to selectively NOT return certain attributes.

Your confusion as to why I'm trying to achieve this is understandable, I myself would be fine with just a default set of returned attributes configured on access ports, but some voices in our organisation are very.. carefull.. about any attributes advertised on access ports.

We have NAC implemented, switch software is up-to-date, so the switches have no horrible vulnerabilities, the risk of advertised lldp attributes seems manageable in my opinion.

But as it is, I was asked to investigate if it is possible, so here we are.

Named Templates, i'll give that a try and will be back, with good or bad news.

Thanks again!

0 有帮助

poongarg
Cisco Employee
Cisco Employee

发布时间 ‎04-24-2023 02:44 AM

You can control the send and receive of TLV on switchport using LLDP-MED

LLDP-MED

LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices. It specifically provides support for voice over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power over Ethernet, inventory management and location information. By default, all LLDP-MED TLVs are enabled.

LLDP-MED Supported TLVs

LLDP-MED supports these TLVs:

  • LLDP-MED capabilities TLV

    Allows LLDP-MED endpoints to determine the capabilities that the connected device supports and has enabled.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/int_hw/b_1612_int_and_hw_9200_cg/configuring_lldp__lldp_med__and_wired_location_service.html

 

0 有帮助
Customers Also Viewed These Support Documents