ISE - DHCP SPAN and DHCP Profiling

Unanswered Question
Jun 13th, 2012

Hi everyone,

We're embarking on an evaluation of ISE and trying to clarify my thoughts around the DHCP based profiling probes.

If we are using DHCP SPAN and have all DHCP traffic mirrored to ISE, should we still use IP helpers and the DHCP probe?

I would expect if we're using DHCP SPAN and mirroring all the traffic then using the DHCP probe with IP helpers on floor switches is a little redundant.

Thanks,

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
grant.maynard Sat, 06/30/2012 - 01:06

I agree: a DHCP helper would be preferable because it is "tidier", but use DHCP SPAN if that is not possible.

My interpretation of these is that since SPAN is not selective i.e. will mirror all traffic, perhaps the documentation should just say "SPAN port". Cisco recommend doing DPAN to Gig1 rather than Gig0.

HTTP SPAN is also very useful.

Also DNS, RADIUS and SNMP probes.

In general I think the documentation could be clearer about what information each probe will give and what you need to do to get the probes working.

parasup Tue, 09/18/2012 - 18:24

Hello,

We are also evaluating/deploying ISE, since ISE is not in the pathway of client traffic from a wireless lan controller, how do we do dhcpspan, do we disable dhcp proxy on the controller, add helper address on the nearest router and include the ISE address in the helper address list?

For example: if interface vlan 100 is where clients on a particular ssid are placed after validation:

int Vlan 100

  ip address 10.10.10.1 255.255.255.0

  ip helper-address

  ip helper-address

Is this how we do DHCPSPAN?

Prakash

Tarik Admani Tue, 09/18/2012 - 18:29

Prakash,

You are on the right path, however the latest WLC code 7.2.110 has the dhcp profiling built in so it sends some of that information in the radius packet. Also 7.3 adds the http profiling features and is configurable in the advanced submenu in the security section where you enable AAA override and Radius NAC.

Tarik Admani
*Please rate helpful posts*

edondurguti Wed, 09/19/2012 - 08:19

Hi,

Just to add from my experience;

I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).

It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.

This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe

Hope to help.

P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.

Look around i've posted a thread about it

Actions

Login or Register to take actions

This Discussion

Posted June 13, 2012 at 6:25 PM
Stats:
Replies:4 Avg. Rating:
Views:2109 Votes:0
Shares:0
Tags: aaa, dhcp, ise
+

Related Content

Discussions Leaderboard