EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USInfrastructure Configuration for Profiling
Infrastructure Configuration for Profilling
Here in this section, we will learn about configuration part, what needs to be configured and where in order to enabling profiling.
DHCP helper
On the default-gateway ip helper-address should be configured, on each access-layer VLANs. Below diagram shows that under VLAN 100, DHCP server and ISE PSN node IP address are configured with ip helper-address command.
If there is very large infrastructure, avoid configure all PSN IP address under VLAN, as it may give undesirable result. Instead we should configure specific PSN ip address by using ip helper-address command which will be used for Profiling. Redundancy can also be achieved by using Anycast between two PSNs and it may also possible that these PSN may locate in different DCs.
SPAN Configuration
SPAN configuration can be done in global configuration mode, below configuration shows SPAN configuration, where an Internet Facing VLAN will be the source of the session, and interface of PSN will be Destination.
Dclessons-Core (config)# monitor session [1–4] source [interface | vlan] [rx | tx ] Dclessons-Core (config)# monitor session [1–4] destination interface [interface_name]
Below figure show the output of SPAN Monitor command:
VLAN ACL Captures
Below Configuration is show how VLAN ACL is configured
Step 1. Build an access list to classify the traffic you want to capture:
DCLESSONS-DIST(config)# ip access-list extended HTTP_TRAFFIC DCLESSONS-DIST(config-ext-nacl)# permit tcp any any eq www
Step 2. Build an access list for all the rest of the traffic:
DCLESSONS-DIST(config)# ip access-list extended ALL_TRAFFIC DCLESSONS-DIST(config-ext-nacl)# permit ip any any
Step 3. Create a VLAN access-map sequence to “capture” HTTP traffic:
DCLESSONS-DIST(config)# vlan access-map HTTP_MAP 10 DCLESSONS-DIST(config-access-map)# match ip address HTTP_TRAFFIC DCLESSONS-DIST(config-access-map)# action forward capture
Step 4. Add a new sequence to the access map to forward all other traffic:
DCLESSONS-DIST(config)# vlan access-map HTTP_MAP 20 DCLESSONS-DIST(config-access-map)# match ip address ALL_TRAFFIC DCLESSONS-DIST(config-access-map)# action forward
Step 5. Apply the VLAN access map to the VLAN list:
DCLESSONS-DIST(config)# vlan filter HTTP_MAP vlan-list 41,42
Step 6. Configure the “destination” port for the PSN’s SPAN interface:
DCLESSONS-DIST(config-if)# switchport capture allowed vlan 41 DCLESSONS-DIST(config-if)# switchport capture allowed vlan add 42 DCLESSONS-DIST(config-if)# switchport capture
Device Sensor:
Device Sensor is switch or WLC feature that collects endpoint attributes locally and sends those attributes to ISE within RADIUS accounting packet. This Feature is present in Cisco Switches in IOS 15.0(1) and IOS-XE 3.3.0. And in Cisco WLC this feature is added in AireOS version 7.3. Device Sensors support three protocols: DHCP, CDP, and LLDP.
Comment
TABLE OF CONTENTS
- How to Install ISE 2.4 VM
- Initial ISE Setup
- ISE Certificate Installation
- ISE AD Integration
- Configure ISE Policy Set
- Configure Guest Access
- Guest Access With HotSpot Portal
- Guest Self-Registration for Guest Access
- Enable Self Registration with Sponsor Approval
- Configure ISE Profiling
- Customize ISE Profiling Configuration
- Configure BYOD
- Configuring ISE Compliance Services
- Configure Client Provisioning
- Configure Posture Policies
- Test & Monitor Client Based Access
RECENT POSTS
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
LEAVE A COMMENT
Please login here to comment.