Cisco Cisco Identity Services Engine 1.2 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 11 of 27
A triggered SNMP query from an Nmap scan is most valuable for endpoints that support SNMP agents to track
device details and operational status.
device details and operational status.
Note: To collect endpoint SNMP data as a result of the Nmap probe, ISE must be configured with the SNMP
read community strings of endpoints to be queried.
read community strings of endpoints to be queried.
Caution: Depending on the endpoints to be profiled, some healthcare organizations may prohibit the use of an
active query against medical devices. Due to the critical nature of some clinical endpoints and the fact that many
are not updated on a regular basis, there is some concern that the query may trigger a service disruption or even
device failure.
active query against medical devices. Due to the critical nature of some clinical endpoints and the fact that many
are not updated on a regular basis, there is some concern that the query may trigger a service disruption or even
device failure.
Other devices that provide an ancillary or supporting role such as Windows or Linux workstations may be
acceptable candidates for SNMP query.
acceptable candidates for SNMP query.
The SNMPQUERY probe is enabled by default.
Best practice: When available, use the Device Sensor to collect CDP, LLDP, and other endpoint attributes. (The
Device Sensor is discussed later in this guide.)
Device Sensor is discussed later in this guide.)
DHCP Probe
The Dynamic Host Configuration Protocol (DHCP) is used to assign IP addresses dynamically to hosts on a
network. Although commonly used to provide an arbitrary address from a pool of addresses, it can also reserve IP
addresses within a pool for use by specific endpoints. Consequently, DHCP provides central management of IP
addresses for both random assignment across a shared pool as well as static assignment (DHCP reservation) for
devices that require a deterministic IP address.
network. Although commonly used to provide an arbitrary address from a pool of addresses, it can also reserve IP
addresses within a pool for use by specific endpoints. Consequently, DHCP provides central management of IP
addresses for both random assignment across a shared pool as well as static assignment (DHCP reservation) for
devices that require a deterministic IP address.
Cisco ISE includes two DHCP-based probes: DHCP and DHCPSPAN.
The DHCP probes are used to collect MAC addresses, IP addresses, and various option fields sent in standard
DHCP packets. The primary difference between the two options is in the method used to send DHCP traffic to the
ISE appliance. The DHCP probe is used when the Discover, Request, or Inform packet is relayed directly to the IP
address of the ISE appliance. DHCPSPAN is used when a mirror of DHCP traffic is sent to a dedicated ISE
appliance interface using a Switched Port Analyzer (SPAN) port or a network tap.
DHCP packets. The primary difference between the two options is in the method used to send DHCP traffic to the
ISE appliance. The DHCP probe is used when the Discover, Request, or Inform packet is relayed directly to the IP
address of the ISE appliance. DHCPSPAN is used when a mirror of DHCP traffic is sent to a dedicated ISE
appliance interface using a Switched Port Analyzer (SPAN) port or a network tap.
Most Layer 3 network devices can relay DHCP requests to a remote server. The DHCP probe is generally
recommended for use with network devices capable of DHCP relay, especially when multiple distributed ISE
appliances or DHCP servers are deployed. This removes the requirement for a single chokepoint, distributes the
profiling load, and simplifies redundancy. For this configuration, the local default gateways for the access layer are
configured with helpers or relays to send an extra copy of the DHCP packets to one ISE appliance (or two for
redundancy). The ISE appliances do not respond to these packets. They only parse them for endpoint DHCP data.
recommended for use with network devices capable of DHCP relay, especially when multiple distributed ISE
appliances or DHCP servers are deployed. This removes the requirement for a single chokepoint, distributes the
profiling load, and simplifies redundancy. For this configuration, the local default gateways for the access layer are
configured with helpers or relays to send an extra copy of the DHCP packets to one ISE appliance (or two for
redundancy). The ISE appliances do not respond to these packets. They only parse them for endpoint DHCP data.
The DHCPSPAN probe can be useful in the initial discovery phase and when all DHCP traffic travels through a
specific “chokepoint” in the network, such as inline to a central DHCP server.
specific “chokepoint” in the network, such as inline to a central DHCP server.