Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE and dhcp snooping

Hi all,

The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).

Can anyone explain? Thanks.

2 REPLIES
Cisco Employee

This command helps for ISE to


This command helps for ISE to profile endpoints
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dot1x.html#wp1132818

New Member

Thanks for the reply, Vattulu

Thanks for the reply, Vattulu.

Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.

Googling around I found this article/section:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679

which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.

Still digging, I would like to understand this. Thanks for your help.

 

749
Views
0
Helpful
2
Replies
CreatePlease to create content