Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
5
Helpful
3
Replies

Switch doesn't send all LLDP TLV to ISE

Marco__89
Level 1
Level 1

‎07-18-2022 02:00 AM

Hi all,

i'm dealing with a strange behaviour for profiling (with device-sensor) in ISE 2.7. Cisco config for LLDP filter list is shown below:

device-sensor filter-list lldp list LLDP_LIST
 tlv name port-id
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
device-sensor filter-spec lldp include list LLDP_LIST

I also enabled accounting for device-sensor:

device-sensor accounting
device-sensor notify all-changes

 When i connect an IP phone (Polycom VVX201) i can see that switch capture information specified within the LLDP filter. The output is:

LLDP     7:system-capabilities          6 0E 04 00 24 00 20
LLDP     6:system-description         102 0C 64 50 6F 6C 79 63 6F 6D 3B 56 56 58 2D 56 56
                                          58 5F 32 30 31 3B 33 31 31 31 2D 34 30 34 35 30
                                          2D 30 30 31 2C 31 3B 53 49 50 2F 35 2E 35 2E 31
                                          2E 31 31 35 32 36 2F 32 32 2D 4E 6F 76 2D 31 36
                                          20 31 34 3A 35 35 3B 55 50 2F 35 2E 37 2E 31 2E
                                          31 33 32 36 31 2F 32 32 2D 4E 6F 76 2D 31 36 20
                                          31 35 3A 30 36 3B
LLDP     5:system-name                 17 0A 0F 50 6F 6C 79 63 6F 6D 20 56 56 58 20 32 30
                                          31
LLDP     2:port-id                      9 04 07 03 64 16 7F 82 CA 59

While ISE, within context visibility tab, is showing the following (only lldpPorId is shown for LLDP data):

Cattura.PNG

I made a tcpdump in ISE and i saw that only 1 LLDP tlv (probably lldpPortId) is trasmitted by the switch. 

Due to this I can not profiling the device because ISE receive only a portion of information. Do you know why this happen?

3 Replies 3

marce1000
VIP
VIP

‎07-18-2022 04:02 AM

 

 - It's advisable to check support for your switch : https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/compatibility_doc/b_ise_sdt_27.html , in the current ISE version. Take note of Validated OS and Minimum OS parameters too , if your switch model is recent , then you may need to upgrade ISE : https://www.cisco.com/c/en/us/support/security/identity-services-engine/products-device-support-tables-list.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Marco__89
Level 1
Level 1
In response to marce1000

‎07-18-2022 05:56 AM

Thanks Marce1000, but this problem happen only with this type of device. I tried also with 2 different types of IP phones (Yealink T40G and Yealink T23G) and profiling was successful. 

0 Helpful

andrewswanson
Level 7
Level 7

‎07-20-2022 09:00 AM

The command "device-sensor accounting" adds device sensor data to accounting records only. If you require this device to be profiled before authorization you'll need to use an ISE probe like SNMP query/DHCP.

Also, if ISE authorizes this device regardless then ISE should receive the device-sensor data in accounting packets

hth
Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents