Hey, thanks for the reply, much appreciated! Ok, that makes sense.

One thing I wasn't sure about though... Since in our branch offices the Layer 3 interface and the dhcp pool are configured on the same device, the layer 3 interface didn't require an "ip helper-address" in order to find the DHCP server/pool since it is the dhcp server itself. In that case, would I need to add a helper address pointing to itself?

I just wasn't sure if adding the ip helper-address pointing to the ISE Servers on the layer 3 interface, would somehow stop the DHCP packets from reaching the DHCP pool on the Router/Switch... Does that make sense?

-Matt

One other question related to ISE Profiling and Probes.

 

I just read the following statement:

SNMPQUERY and SNMPTRAP

SNMP is used to query NADs that do not yet support Cisco’s device sensor. After enabling the SNMPQUERY probe, ISE will poll all the SNMP-enabled NADs at the configured polling interval.

NOTE: It is recommended to remove SNMP settings from NADs that support IOS sensor to avoid double work and wasted processing.

 

Is "IOS Sensor" referring to CDP and LLDP? If so, my switches do support these features, and I have SNMP checked under each of our NAD's settings. So should I disable SNMP in the NAD settings for each switch? And is CDP and LLDP automatically used without needing to enable anything extra in ISE, hey are already enabled within IOS?

 

Thanks Again,
Matt

 

What version of IOS and on which platfrom? If the switches support device sensor, you should remove any ip forwarders, SNMP and let IOS encapsulate all profiling data in radius packets:

 

Device Sensor ISE Profiling

 

Also, if memory serves me correct ip forwarder does not work on the interface that is also providing DHCP services.

Hey, thanks for the reply.

In each branch location we are using the following:
- ISR4321 - IOS-XE 03.16.05.S
- WS-C2960X-24PS-L - IOS 15.2(2)E7

The 2960 contains the DHCP Pools for mostly all of the Vlans with the exception of the Guest network. That "Guest" DHCP Pool is configured on the ISR.

I guess using "Device Sensor" is preferred over using SNMP, is that correct? And, if we do go with using Device Sensor over SNMP, would I just need to uncheck "SNMP Settings" checkbox under each device in: ISE > Administration > Network Resources > Network Devices...?

For each of our NADs in ISE (*for the branch offices), we have "RADIUS Authentication Settings" and "SNMP Settings" configured... Is there anything extra that needs to be enabled on the ISE server to have it use Device Sensor, once its configured on the Switch?

Thanks again for the reply, much appreciated!

-Matt

Hi,

Device Sensor uses the RADIUS Probe (which is enabled as default) and encapsulates the data gathered from cdp, lldp and dhcp in the radius accounting packet. I find device sensor (if the switch supports it) provides enough information, so one less ISE probe to use. You are correct, just disable the SNMP settings defined under the NAD.

 

With device sensor you can be very granular with what information is sent to ISE in regard to the lldp, cdp attributes. This links here and here have some good examples on how to tweak.

 

HTH