Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7005
Views
15
Helpful
3
Replies

ISE and dhcp snooping

Go to solution
Leroy Plock
Level 1
Level 1

‎03-18-2014 03:17 PM - edited ‎03-10-2019 09:33 PM

Hi all,

The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).

Can anyone explain? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Leroy Plock

‎08-10-2018 04:44 AM

Just seeing this post for first time and likely resolved, but to bring closure for anyone else asking same...

 

DHCP Snooping is a switch security feature that adds benefits independent of ISE and helps to ensure trust in the DHCP client and server communications.  It is also foundational to other switch security features.  Specific to ISE, DHCP Snooping is cited as a prerequisite for the Device Sensor feature which allows switch/controller to capture local DHCP traffic, parse key option attributes, and publish those to ISE as av-pairs in RADIUS Accounting Update packets.  Device Sensor can do the same for other types of locally learned endpoint data such as CDP/LLDP, HTTP User Agents, mDNS, H323, SIP, etc.

 

Specific to dACLs, the switch needs to learn the IP address for the client to instantiate source IP address substitution in the per-user ACL.  This IP binding to MAC can be learned via IP Device Tracking or DHCP Snooping.

View solution in original post

3 Replies 3

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-19-2014 10:19 AM


This command helps for ISE to profile endpoints
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html#wp1132818

0 Helpful

Go to solution
Leroy Plock
Level 1
Level 1
In response to Venkatesh Attuluri

‎03-19-2014 01:25 PM

Thanks for the reply, Vattulu.

Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.

Googling around I found this article/section:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679

which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.

Still digging, I would like to understand this. Thanks for your help.

 

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Leroy Plock

‎08-10-2018 04:44 AM

Just seeing this post for first time and likely resolved, but to bring closure for anyone else asking same...

 

DHCP Snooping is a switch security feature that adds benefits independent of ISE and helps to ensure trust in the DHCP client and server communications.  It is also foundational to other switch security features.  Specific to ISE, DHCP Snooping is cited as a prerequisite for the Device Sensor feature which allows switch/controller to capture local DHCP traffic, parse key option attributes, and publish those to ISE as av-pairs in RADIUS Accounting Update packets.  Device Sensor can do the same for other types of locally learned endpoint data such as CDP/LLDP, HTTP User Agents, mDNS, H323, SIP, etc.

 

Specific to dACLs, the switch needs to learn the IP address for the client to instantiate source IP address substitution in the per-user ACL.  This IP binding to MAC can be learned via IP Device Tracking or DHCP Snooping.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents