EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

AF

Infrastructure Configuration for Profiling

Infrastructure Configuration for Profiling

Infrastructure Configuration for Profilling

Here in this section, we will learn about configuration part, what needs to be configured and where in order to enabling profiling.

DHCP helper

On the default-gateway ip helper-address should be configured, on each access-layer VLANs. Below diagram shows that under VLAN 100, DHCP server and ISE PSN node IP address are configured with ip helper-address command.

If there is very large infrastructure, avoid configure all PSN IP address under VLAN, as it may give undesirable result. Instead we should configure specific PSN ip address by using ip helper-address command which will be used for Profiling. Redundancy can also be achieved by using Anycast between two PSNs and it may also possible that these PSN may locate in different DCs.

SPAN Configuration

SPAN configuration can be done in global configuration mode, below configuration shows SPAN configuration, where an Internet Facing VLAN will be the source of the session, and interface of PSN will be Destination.

Dclessons-Core (config)# monitor session [1–4] source [interface | vlan] [rx | tx ]                                    Dclessons-Core (config)# monitor session [1–4] destination interface [interface_name]

Below figure show the output of SPAN Monitor command:

VLAN ACL Captures

Below Configuration is show how VLAN ACL is configured

Step 1. Build an access list to classify the traffic you want to capture:

DCLESSONS-DIST(config)# ip access-list extended HTTP_TRAFFIC                                                  DCLESSONS-DIST(config-ext-nacl)# permit tcp any any eq www

Step 2. Build an access list for all the rest of the traffic:

DCLESSONS-DIST(config)# ip access-list extended ALL_TRAFFIC                                                DCLESSONS-DIST(config-ext-nacl)# permit ip any any

Step 3. Create a VLAN access-map sequence to “capture” HTTP traffic:

DCLESSONS-DIST(config)# vlan access-map HTTP_MAP 10                                                        DCLESSONS-DIST(config-access-map)# match ip address HTTP_TRAFFIC                                        DCLESSONS-DIST(config-access-map)# action forward capture

Step 4. Add a new sequence to the access map to forward all other traffic:

DCLESSONS-DIST(config)# vlan access-map HTTP_MAP 20                                                              DCLESSONS-DIST(config-access-map)# match ip address ALL_TRAFFIC                                          DCLESSONS-DIST(config-access-map)# action forward

Step 5. Apply the VLAN access map to the VLAN list:

DCLESSONS-DIST(config)# vlan filter HTTP_MAP vlan-list 41,42

Step 6. Configure the “destination” port for the PSN’s SPAN interface:

DCLESSONS-DIST(config-if)# switchport capture allowed vlan 41                                                        DCLESSONS-DIST(config-if)# switchport capture allowed vlan add 42                                              DCLESSONS-DIST(config-if)# switchport capture

Device Sensor:

Device Sensor is switch or WLC feature that collects endpoint attributes locally and sends those attributes to ISE within RADIUS accounting packet. This Feature is present in Cisco Switches in IOS 15.0(1) and IOS-XE 3.3.0. And in Cisco WLC this feature is added in AireOS version 7.3. Device Sensors support three protocols: DHCP, CDP, and LLDP.

 

Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.

TABLE OF CONTENTS

RECENT POSTS

Membership Plan

Monthly

$100/Monthly
Half Yearly

$200/6 Months
Half Yearly

$350/Year