cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4090
Views
15
Helpful
6
Replies

Using IP Helper for Cisco ISE

Matthew Martin
Contributor
Contributor

Hello All,

 

Cisco ISE v2.3

 

We have the DHCP Probe enabled on the ISE server (*not DHCP SPAN though). And I currently have "ip helper-address <ise-ip>" configured for the User/Data vlan only.

 

But, we also have a couple of other Vlans that are used for when devices are Non-Compliant, Guest Wi-Fi, BYOD, Voice, etc...

 

I was wondering if I should be using the "ip helper-address" commands on these other Vlans as well?

 

Our branch offices use FlexConnect APs, so the different Wi-Fi networks have the Vlans and DHCP Pools configured locally on the Switch in each branch office. So I was wondering if ip helper should be used for those other Vlans as well, *i.e. Guest vlan, BYOD vlan, non-compliant vlan, and maybe even the Voice vlan...?

 

Thanks in Advance,

Matt

6 Replies 6

Hi Matt,
I don't see why not, you'll get more detailed information on the connected endpoint. I guess it also depends on what other profile probes you've enabled e.g snmp/device sensor, if they provide all the information to identify the endpoints on those VLANs then another probe may not be necessary.

HTH

Hey, thanks for the reply, much appreciated! Ok, that makes sense.

One thing I wasn't sure about though... Since in our branch offices the Layer 3 interface and the dhcp pool are configured on the same device, the layer 3 interface didn't require an "ip helper-address" in order to find the DHCP server/pool since it is the dhcp server itself. In that case, would I need to add a helper address pointing to itself?

I just wasn't sure if adding the ip helper-address pointing to the ISE Servers on the layer 3 interface, would somehow stop the DHCP packets from reaching the DHCP pool on the Router/Switch... Does that make sense?

-Matt

One other question related to ISE Profiling and Probes.

 

I just read the following statement:

SNMPQUERY and SNMPTRAP

SNMP is used to query NADs that do not yet support Cisco’s device sensor. After enabling the SNMPQUERY probe, ISE will poll all the SNMP-enabled NADs at the configured polling interval.

NOTE: It is recommended to remove SNMP settings from NADs that support IOS sensor to avoid double work and wasted processing.

 

Is "IOS Sensor" referring to CDP and LLDP? If so, my switches do support these features, and I have SNMP checked under each of our NAD's settings. So should I disable SNMP in the NAD settings for each switch? And is CDP and LLDP automatically used without needing to enable anything extra in ISE, hey are already enabled within IOS?

 

Thanks Again,
Matt

 

What version of IOS and on which platfrom? If the switches support device sensor, you should remove any ip forwarders, SNMP and let IOS encapsulate all profiling data in radius packets:

 

Device Sensor ISE Profiling

 

Also, if memory serves me correct ip forwarder does not work on the interface that is also providing DHCP services.

Hey, thanks for the reply.

In each branch location we are using the following:
- ISR4321 - IOS-XE 03.16.05.S
- WS-C2960X-24PS-L - IOS 15.2(2)E7

The 2960 contains the DHCP Pools for mostly all of the Vlans with the exception of the Guest network. That "Guest" DHCP Pool is configured on the ISR.

I guess using "Device Sensor" is preferred over using SNMP, is that correct? And, if we do go with using Device Sensor over SNMP, would I just need to uncheck "SNMP Settings" checkbox under each device in: ISE > Administration > Network Resources > Network Devices...?

For each of our NADs in ISE (*for the branch offices), we have "RADIUS Authentication Settings" and "SNMP Settings" configured... Is there anything extra that needs to be enabled on the ISE server to have it use Device Sensor, once its configured on the Switch?

Thanks again for the reply, much appreciated!

-Matt

Hi,

Device Sensor uses the RADIUS Probe (which is enabled as default) and encapsulates the data gathered from cdp, lldp and dhcp in the radius accounting packet. I find device sensor (if the switch supports it) provides enough information, so one less ISE probe to use. You are correct, just disable the SNMP settings defined under the NAD.

 

With device sensor you can be very granular with what information is sent to ISE in regard to the lldp, cdp attributes. This links here and here have some good examples on how to tweak.

 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: