cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SNMP Control plane

rovargas
Cisco Employee
Cisco Employee

In a Forescout and OpenNac large competitive deal, customer is asking us to provide technical reasons to avoid using SNMP.

Both Forescout and OpenNac support SNMP trap session creation and SNMP based authorisation (similar to what we used to have with CCA).

The main technical objection we have traditionally used is that SNMP based authorisation changes the switch configuration and this might break network management tools.

Knowing that we have been there (CCA), is there anything else we might argue? Maybe NAD impact?

1 ACCEPTED SOLUTION

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

View solution in original post

3 REPLIES 3

thomas
Cisco Employee
Cisco Employee

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

Also, SNMP based port-control breaks daisy-chained endpoints, like a PC behind a phone. Or in other terms, one endpoint can create a DOS for all other endpoints on the same port. 802.1X based sessions on the other hand, can be granular, which specific endpoints subject to specific authorization(s).

Just in case, if the customer does not want to do RADIUS at all, then even ISE can support SNMP based access control, make sure you educate them on the limitations listed above before they decide to go either way.

Could you share some docs for ISE SNMP-based access control?

Enabling dot1x on the access switches and ensuring all wired endpoints 802.1x take time, so in the meanwhile, I would like to look into the SNMP based approach. tks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: