Tag ISE

Enabling the DHCP Probe in Cisco ISE Policy Services Node and Configure it on a Cisco Switch

by Matthew Demers ISE, ISE, Networking, Resources, Security

Cisco Identity Services Engine (ISE) is a comprehensive network security policy management platform that offers various features to enforce security policies across an organization’s network infrastructure. One of these features is DHCP Probe, which allows ISE to discover and profile network devices based on the DHCP traffic passing through a Cisco switch VLAN.

This training document will explain how to enable DHCP Probe in Cisco ISE Policy Services Node and configure it on a Cisco switch VLAN using the helper address or directly on the switch.

Prerequisites: Before proceeding with the configuration, ensure that you have the following prerequisites in place:

  • Cisco ISE is installed and configured
  • The Cisco switch is connected to the network and is operational
  • A VLAN is configured on the Cisco switch

Configuration Steps:

Step 1: Enable DHCP Probe in Cisco ISE Policy Services Node

  1. Log in to the Cisco ISE web interface using an administrator account.
  2. Navigate to Work Centers > Profiler.
  3. Select Node Config > Deployment and select the Policy Service node to perform profiling from the list of deployed nodes on the RHS pane.
  4. Click Edit and navigate to the DHCP tab.
  5. Click the Enable DHCP Probe checkbox.
  6. Configure the following options:
    • Probe Interval: The interval at which ISE sends DHCP probes to discover network devices.
    • Probe Retry Count: The number of times ISE attempts to send a DHCP probe to a device.
    • Probe VLAN Tag: The VLAN ID that ISE uses to send DHCP probes.

Step 2: Configure DHCP Probe on the Cisco switch VLAN using ISE Policy Node as the IP helper-address

  1. Log in to the Cisco switch using a privileged account.
  2. Navigate to the VLAN configuration mode by entering the following command: configure terminal vlan vlan-id
  3. Configure the VLAN ID and VLAN name using the following commands: vlan-id name vlan-name
  4. Assign an IP address to the VLAN interface using the following command: interface vlan vlan-id ip address ip-address subnet-mask
  5. Configure the ISE Policy Node as the IP helper-address using the following command: ip helper-address ise-policy-node-ip-address

Step 3: Configure DHCP Probe directly on the Cisco switch VLAN

  1. Navigate to the interface configuration mode by entering the following command: interface interface-name
  2. Enable DHCP snooping on the interface using the following command: ip dhcp snooping
  3. Enable DHCP Probe on the interface using the following command: ip dhcp snooping information option allow-untrusted
  4. Save the configuration changes using the following command: end

Conclusion: In conclusion, DHCP Probe is an essential feature of Cisco ISE that allows organizations to discover and profile network devices based on DHCP traffic passing through a Cisco switch VLAN. By following the steps outlined in this training document, you can enable DHCP Probe in Cisco ISE Policy Services Node and configure it on a Cisco switch VLAN using either the helper address or directly on the switch.

Cisco ISE Profiling Service

by Matthew Demers ISE, ISE, Networking, Resources, Security

Cisco Identity Services Engine (ISE) is a comprehensive network access control solution that enables organizations to manage their network security policies and enforce them consistently across all devices and users. One of the key features of Cisco ISE is its profiling service, which provides visibility into the type of devices and operating systems accessing the network.

Profiling is the process of identifying the attributes and characteristics of a device on the network. It involves collecting data about the device, such as its operating system, manufacturer, model, and other relevant details. This information is then used to create a profile for the device, which can be used to enforce network security policies and enable access to network resources.

Cisco ISE’s profiling service uses a variety of methods to identify and classify devices on the network. These methods include passive and active profiling, endpoint probes, and network-based device identification. Passive profiling involves monitoring network traffic to identify devices and their characteristics, while active profiling involves actively querying devices to collect information about them.

Endpoint probes are used to gather information about devices that are not sending traffic over the network. These probes can be configured to collect information about specific types of devices or operating systems, allowing organizations to gain visibility into their network environment. Network-based device identification involves using techniques such as port scanning and fingerprinting to identify devices on the network.

Once a device is identified and classified by the profiling service, it can be assigned to a specific group or policy based on its characteristics. For example, devices running a specific operating system can be assigned to a group with specific access permissions, or devices manufactured by a specific vendor can be assigned to a group with specific security policies.

In addition to providing visibility into the network environment, Cisco ISE’s profiling service also enables organizations to enforce security policies based on device characteristics. For example, devices that are not compliant with security policies can be prevented from accessing the network, or devices with specific vulnerabilities can be isolated from the rest of the network.

Overall, Cisco ISE’s profiling service is a powerful tool for organizations looking to gain visibility into their network environment and enforce consistent security policies. By identifying and classifying devices on the network, organizations can improve their overall security posture and ensure that only authorized devices are allowed access to network resources.