The device sensor is used to gather raw endpoint data from network devices. The endpoint information that is gathered helps
in completing the profiling capability of devices. Profiling is the determination of the endpoint type based on information
gleaned from various protocol packets from an endpoint during its connection to a network.
The profiling capability consists of two parts:
The device sensor represents the embedded collector functionality. The illustration below shows the Cisco sensor in the context
of the profiling system and also features other possible clients of the sensor.
A device with sensor capability gathers endpoint information from network devices using protocols such as Cisco Discovery
Protocol, LLDP, and DHCP, subject to statically configured filters, and makes this information available to its registered
clients in the context of an access session. An access session represents an endpoint’s connection to the network device.
The device sensor has internal and external clients. The internal clients include components such as the embedded Device Classifier
(local analyzer), ATM switch processor (ASP), MSI-Proxy, and EnergyWise (EW). The external client, that is the Identity Services
Engine (ISE) analyzer, will use RADIUS accounting to receive additional endpoint data.
Client notifications and accounting messages containing profiling data along with the session events and other session-related
data, such as the MAC address and the ingress port, are generated and sent to the internal and external clients (ISE). By
default, for each supported peer protocol, client notifications and accounting events are only generated where an incoming
packet includes a TLV that has not previously been received in the context of a given session. You can enable client notifications
and accounting events for all TLV changes, where either a new TLV has been received or a previously received TLV has been
received with a different value using CLI commands.
The device sensor’s port security protects the switch from consuming memory and crashing during deliberate or unintentional
denial-of-service (DoS) type attacks. The sensor limits the maximum device monitoring sessions to 32 per port (access ports
and trunk ports). In case of lack of activity from hosts, the age session time is 12 hours.