Re: Endpoint tracking and history in SDA fabric

JamesChristley2230 · ‎01-29-2024

Hello,

I'm interested in finding out how people manage tracking of endpoints on SDA fabric networks. Particularly when it comes to seeing the history of a client as it moves on the network and where IP addresses change. I'm talking about on the wired network here, not wireless.

There are cases where our security team want to know, for a given IPv4 and v6 address, what was the corresponding MAC address and where was it connected at a given time. At the moment, we use a combination of things including DHCP server logs, netflow and DNS registrations. However, with SDA, there seems to be movement away from using custom built tools and scripts to log this data in favour of assurance tools built in to DNA Center.

The current Client 360 tab seems to log data for 7 days, but is there any way (beyond creating custom tools) to collect this data over a larger time span? Also, what do people do about IPv6 where clients can have multiple addresses and addresses that change regularly without DHCP (where auto-configuration is in place)? I can see that the control plane will have this data in LISP and EID tables. However, aside from writing a script that scrapes the LISP/EID tables on all the switches periodically, I can't see an easy way to collect this data over time and present it in a readable fashion.

I wonder whether this is something Cisco have thought about or whether people have come up with alternative ways to do this. Curious to hear peoples' thoughts.

James

andy!doesnt!like!uucp · ‎01-29-2024

"I'm interested in finding out how people manage tracking of endpoints on SDA fabric networks"
u just enter MAC or IP into the DNAC search field (right top of DNAC window) or u do similar thing (w/ MAC only) in the ISE or u do it via Operation/Report/Reports/Endpoints and Users/Radius AAA.
"The current Client 360 tab seems to log data for 7 days".
u may extend operational log history on ISE (365 days maximum afair) but consider impact on MnT performance.
other than that u can send AAA logs to the external syslog system (SIEM f.e. :0) to achieve suitable retention time

Preston Chilcote · ‎01-29-2024

Assurance stores data for 30 days. You can adjust the dates on the Time Range drop down in any of the 360 assurance pages. 7 days is as low a granularity you can inspect at one time however.

I haven't tested this with changing IPs, but I would hope for simplicity's sake, that the solution to your question is to search assurance for the username instead of IP. Hopefully that page aggregates all of the information for that user, even if the IP changes. I would look at the Event Viewer on that page for historical records of DHCP activity.

There are also several client related reports that could help (click Reports from the main Catalyst Center menu), though they may be geared more for wireless.

JamesChristley2230 · ‎01-29-2024

Thanks for your replies. I should note that we're not currently using 802.1X on the wired network, so have no records from that point of view. Instead, the network has no authentication in place.

James

Preston Chilcote · ‎01-29-2024

@JamesChristley2230 In that case, I would hope that the client record would be bound to something more static like a mac address so that the assurance info can be kept tidy and not dependent on IP. Do you have a way to check that for us?

JamesChristley2230 · ‎01-31-2024

Yes, once we know the MAC address, we can verify where the client is connected and trace it against a user. As I mentioned, the issue we have is where we get given an IP address and a time it was used, and need to correspond that with a user.

James

andy!doesnt!like!uucp · ‎02-03-2024

afaik history of the MAC-to-IP mapping can be retained in the RADIUS accounting logs. But you dont use RADIUS. i'm aslo not sure that DNAC collects this mapping directly from switches.

Preston Chilcote · ‎02-02-2024

Ah, sorry I got stuck in the weeds and lost track of the original ask. Please submit a Make a Wish via Catalyst Center (aka Cisco DNA) help menu to let the Product Team know that this would be a helpful feature. I agree with you that it would be very helpful to avoid having to hop around multiple tools to get this info.