Re: DNAC Endpoint Analytic (assetDeviceType)

e-chuah · ‎02-08-2023

Hi,

I am trying DNAC endpoint analytic.

We have a BMS DDC endpoint connected, can see the IP address, mac address. (see attached screenshot)

It also detected the device as "Yamatake-Honeywell-Device".

I would like to know how why assetDeviceType is not detected. I am expecting endpoint analytic to have some intelligence to be able to detect the device type. Do you need actual traffic flow for the endpoint in order to correctly profile and detect the DeviceType?

Any comments greatly apprectiated.

Thanks

Eng Wee

andy!doesnt!like!uucp · ‎02-09-2023

Hi

Yamatake-Honeywell-Device is the translation of manufacturer owning OUI 00:20:04.

Honeywell produces number of BMS-devices with different functionality Firealarm,AccessControl,IntrusionDetection etc with this OUI.
i guess this is what u'd like to see in the Device Type field, but in reality all of above are just endpoints (device type from networking pov) for either DNAC or ISE.

i also guess with profiling help on ISE u could develop some more accurate definitions for such endpoints, but it will be not easy if possible at all & w/o any benefits for u as network admin.
from my recent experience i just has been communicated which devices (endpoints actually) classes Honeywell will install on which ports which enabled me to automate their distribution across corresponding Endpoint ID-groups & that's all.

hopefully above will help

e-chuah · ‎02-09-2023

Hi Andy,

Thanks for the comments.

I am running DNAC 2.3.3.6 with ISE 3.1. I am trying to use the Endpoint Analytic attribute in ISE authorization profile.

I know that the "Hardware Manufacturer" is based on OUI.

Currently, the BMS servers are not up yet. Maybe when there is communication between the DDC and servers, then the Endpoint Type can be detected (i am not sure). I have enabled CBAR, i am expecting endpoint analytic to be able to detect the Endpoint Type via deep packet inspection. I also have Panasonic CCTV connected to the Cat9300 switches, but same issue, Endpoint Type not detected.

In addition, I have Cisco 9120AP connected to the switch and registered to Catalyst 9800. Endpoint analytic can't even detect this automatically. I have to manually register the AP in order to get all the IOTAsset attributes populated.

Is this the right behaviour of DNAC endpoint analytic?

Rgds

Eng Wee

andy!doesnt!like!uucp · ‎02-09-2023

i've never leveraged endpoint analytic in DNAC. but still i'm getting lost of what u r trying to achieve in terms of practical benefits?

Let's imagine u'll be lucky to populate assetDeviceType field with "Cisco AP", what next?

Really strange is that with proper setup u should had DNAC identified Cisco AP (i'm pretty sure your switch can see it with cdp & device-sensor) & DNAC can pull this data from switch... i need to take a look how it looks like in only DNAC i've got access recently. will let u know.

e-chuah · ‎02-09-2023

Hi Andy,

>>Let's imagine u'll be lucky to populate assetDeviceType field with "Cisco AP", what next?

With assetDeviceType populated, i can use this in ISE authorization policy instead of using ISE device profile which is more tedious to configure.

Rgds

Eng Wee

andy!doesnt!like!uucp · ‎02-09-2023

ok. clear. no idea how DNAC's endpoint analysis feature automating "profiling", but i'm a bit sceptical about it's fully automated. otherwise what would prevent Cisco to built this automation in ISE? details about BMS-like endpoint's purpose/function either system can take by SNMP-polling the device if it supports SNMP. & it's quite easy to implement on ISE. but as i understand now your efforts with either approach tend to be equivalent.
P.S. in my practice with ISE accurate Cisco AP recognition requires minimum efforts. usually sending DHCP to ISE along with DHCP-servers will do the job. UPD. just refreshed it from community: device-sensor accounting for sending endpoint's attributes recognized by switch to ISE with RADIUS accounting.

jeaves@cisco.com · ‎02-14-2023

Guys, AI Endpoint Analytics is an App on DNAC to help you detect what's on your network and provide a trustworthiness of those endpoints. You're right, there is a profiling function on ISE based on certainty factor. The function on AI Endpoint Analytics is based on SDAVC/CBAR profiles along with AI and ML. Work has already begun to add the AI and ML functions onto ISE as well, watch this space for further announcements on that.

AI EA can only profile based on the information it receives. You're right, many attributes are collected from the CBAR agent sent to the Cat9k but traffic is needed to be sent by the endpoint in order for the classification engine to work. That is not the only source of information though, the profiling probe replies instigated by ISE are also sent to EA as well as ServiceNow attributes if integrated. Additionally, it's good practice to connect to the NBAR cloud under Provision > Application Visibility > Discovered Applications (along with MS Office 365 Cloud and/or Infoblox DNS Server if appropriate).

So, if you haven't been sending any data from the endpoint then it's classified on what EA has, which by the sounds of it is the OUI. Send more traffic and the classifier should do it's job. Obviously occasionally there may be a device our Engineering team may not have come across in which case there is a clustering mechanism using ML in the cloud but that is only effective with a large number of similar endpoints.

After testing this further with data, get back to us if the profiling labels are not defined, the Engineering team may be interested in collecting the specific endpoint attributes.

andy!doesnt!like!uucp · ‎02-14-2023

Thanks for nice navigation Jonathan!

could u pls also shed more light on "...but traffic is needed to be sent by the endpoint.." ? is it about NetFlow|on-demand ERSPAN or other means?

jeaves@cisco.com · ‎02-14-2023

No, when DNAC enables CBAR on the Cat9k it sends down a CBAR file to the network device flash and is used in detecting application traffic. So, any traffic transmitted by the endpoint is detected by CBAR/DPI and learned attributes/telemetry is sent to the DNAC EA app and used in classification/profiling.

andy!doesnt!like!uucp · ‎02-14-2023

thanks a lot.

"& learned attributes/telemetry is sent to the DNAC EA app..." - could u pls elaborate further in which way it happens?

e-chuah · ‎02-14-2023

Hi Jonathan,

Thanks for the explanation.

I will monitor it once the IOT devices start sending traffic.

Rgds

Eng Wee

e-chuah · ‎02-14-2023

Hi Jonathan,

For IOT devices, the IOT devices are not sending traffic yet. I will monitor DNAC Endpooint Analytic again for these devices.

But for Cisco AP, they are already registered to the catalyst 9800 controller. But it didn't get automatically detected by DNAC Endpoint Analytic.

FYI,

Have followed the steps in Endpoint Analytic Deployment Guide.

"show avc sd-service info summary" command also shows status as "connected".

Thanks

Eng Wee