cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ISE - IPv6/DHCPv6 profiling

565
Views
5
Helpful
0
Comments

Introduction

This document describes how to configure the Cisco L3 devices to forward DHCPv6 information to ISE for profiling purpose. Note that although Cisco IOS doesn’t support DHCPv6 via device sensor it still sends IPv6 via RADIUS accounting which is picked up by ISE in the IPv6 enabled network. There are two main ways to profile DHCPv6 at the time of this writing, one is to use DHCP relay feature on the router / L3 switch, and the other option is to use port SPAN on the PSN and monitor DHCP server interface. Below steps will allow ISE to learn DHCPv6 information in a IPv6 network using DHCP relay feature on the router / L3 switch.

 

Setup

VLAN information

  VLAN IPv6 IPv4
ISE VLAN 201 2001:201::/64 192.168.201.0/24
Client VLAN 15 2001:15::/64  

 

IP information

  IPv6 IPv4
ISE Subnet SVI 2001:201::1 192.168.201.1
Client Subnet SVI 2001:15::1  
ISE IP address 2001:201::93 192.168.201.93
DHCP server 2001:201::71  

 

Component used

ISE 3.1

Catalyst 3560CX 15.2(4)E3

 

Configuration

Configure IPv6 on the router / L3 switch

This configuration is using DHCPv6 relay to copy DHCP solicit message to ISE for profiling purpose

3560CX# configure terminal
3560CX(config)# ipv6 unicast-routing
3560CX(config)# interface Vlan15
3560CX(config-if)# ipv6 address 2001:15::1/64
3560CX(config-if)# ipv6 enable
3560CX(config-if)# ipv6 dhcp relay destination 2001:201::71
3560CX(config-if)# ipv6 dhcp relay destination 2001:201::93
3560CX(config-if)# no shut
3560CX(config-if)# interface Vlan201
3560CX(config-if)# ip address 192.168.201.1
3560CX(config-if)# ipv6 address 2001:201::1/64
3560CX(config-if)# ipv6 enable
3560CX(config-if)# no shut

 

Configure IPv6 on ISE

In order for ISE to receive DHCPv6 via DHCP relay, ISE will need to have an IPv6 address. Note that as IPv4 and IPv6 addresses are entered, you will be prompted to restart the service

ise/admin# configure terminal
ise/admin(config)# interface GigabitEthernet 0
ise/admin(config-GigabitEthernet)# ip address 192.168.201.93 255.255.255.0
ise/admin(config-GigabitEthernet)# ipv6 address 2001:201::93/64
ise/admin(config-GigabitEthernet)# ipv6 enable

 

Sample DHCPv6 Attributes and values

Following attributes and values will be visible on ISE context visibility

dhcpv6-client-fqdn WINDOWS
dhcpv6-client-identifier 00:01:00:01:28:96:b0:8d:98:48:27:27:65:17
dhcpv6-client-linklayer-address 00:01:58:ef:68:e6:9d:30
dhcpv6-elapsed-time 0
dhcpv6-ia-na 2001:0201:0000:0000:efb4:9e4d:47a7:d9b8
dhcpv6-interface-id 01:04:56:6c:31:35
dhcpv6-message-type SOLICIT
dhcpv6-oro 17, 23, 24, 39
dhcpv6-remote-id 00:00:00:09:02:00:07:01:00:0f:00:0a:00:03:00:01:cc:5a:53:d9:5c:80
dhcpv6-server-identifier 00:01:00:00:60:02:9e:6d:00:50:56:25:73:38
dhcpv6-vendor-class enterprise-id 311, (MSFT 5.0)
ipv6 2001:0015:0000:0000:044b:efac:5dad:425c
2001:0015:0000:0000:5d06:7f51:7472:e782

 

 

Create
Recognize Your Peers
Content for Community-Ad