06-13-2012 06:25 PM - edited 03-12-2019 05:40 PM
Hi everyone,
We're embarking on an evaluation of ISE and trying to clarify my thoughts around the DHCP based profiling probes.
If we are using DHCP SPAN and have all DHCP traffic mirrored to ISE, should we still use IP helpers and the DHCP probe?
I would expect if we're using DHCP SPAN and mirroring all the traffic then using the DHCP probe with IP helpers on floor switches is a little redundant.
Thanks,
Mark
06-30-2012 01:06 AM
I agree: a DHCP helper would be preferable because it is "tidier", but use DHCP SPAN if that is not possible.
My interpretation of these is that since SPAN is not selective i.e. will mirror all traffic, perhaps the documentation should just say "SPAN port". Cisco recommend doing DPAN to Gig1 rather than Gig0.
HTTP SPAN is also very useful.
Also DNS, RADIUS and SNMP probes.
In general I think the documentation could be clearer about what information each probe will give and what you need to do to get the probes working.
09-18-2012 06:24 PM
Hello,
We are also evaluating/deploying ISE, since ISE is not in the pathway of client traffic from a wireless lan controller, how do we do dhcpspan, do we disable dhcp proxy on the controller, add helper address on the nearest router and include the ISE address in the helper address list?
For example: if interface vlan 100 is where clients on a particular ssid are placed after validation:
int Vlan 100
ip address 10.10.10.1 255.255.255.0
ip helper-address
ip helper-address
Is this how we do DHCPSPAN?
Prakash
09-18-2012 06:29 PM
Prakash,
You are on the right path, however the latest WLC code 7.2.110 has the dhcp profiling built in so it sends some of that information in the radius packet. Also 7.3 adds the http profiling features and is configurable in the advanced submenu in the security section where you enable AAA override and Radius NAC.
Tarik Admani
*Please rate helpful posts*
09-19-2012 08:19 AM
Hi,
Just to add from my experience;
I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).
It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.
This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe
Hope to help.
P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.
Look around i've posted a thread about it
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: