|
Contents
- Device Sensor
- Finding Feature Information
- Restrictions for Device Sensor
- Information About Device Sensor
- Device Sensor
- How to Configure Device Sensor
- Enabling Accounting Augmentation
- Creating a Cisco Discovery Protocol Filter
- Creating an LLDP Filter
- Creating a DHCP Filter
- Applying a Protocol Filter to the Sensor Output
- Tracking TLV Changes
- Verifying the Device Sensor Configuration
- Troubleshooting Tips
- Configuration Examples for the Device Sensor Feature
- Examples: Configuring the Device Sensor
- Additional References
- Feature Information for Device Sensor
Device Sensor
The Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP. The endpoint data that is gathered is made available to registered clients in the context of an access session.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Device Sensor
- Only Cisco Discovery Protocol, LLDP, DHCP, MDNS, SIP, and H323 protocols are supported.
- The session limit for profiling ports is 32.
- The length of one Type-Length-Value (TLV) must not be more than 1024 and the total length of TLVs (combined length of TLVs) of all protocols must not be more than 4096.
- The sensor profiles devices that are only one hop away.
Information About Device Sensor
Device Sensor
The device sensor is used to gather raw endpoint data from network devices. The endpoint information that is gathered helps in completing the profiling capability of devices. Profiling is the determination of the endpoint type based on information gleaned from various protocol packets from an endpoint during its connection to a network.
The profiling capability consists of two parts:
The device sensor represents the embedded collector functionality. The illustration below shows the Cisco sensor in the context of the profiling system and also features other possible clients of the sensor.
A device with sensor capability gathers endpoint information from network devices using protocols such as Cisco Discovery Protocol, LLDP, and DHCP, subject to statically configured filters, and makes this information available to its registered clients in the context of an access session. An access session represents an endpoint's connection to the network device.
The device sensor has internal and external clients. The internal clients include components such as the embedded Device Classifier (local analyzer), ATM switch processor (ASP), MSI-Proxy, and EnergyWise (EW). The external client, that is the Identity Services Engine (ISE) analyzer, will use RADIUS accounting to receive additional endpoint data.
Client notifications and accounting messages containing profiling data along with the session events and other session-related data, such as the MAC address and the ingress port, are generated and sent to the internal and external clients (ISE). By default, for each supported peer protocol, client notifications and accounting events are only generated where an incoming packet includes a TLV that has not previously been received in the context of a given session. You can enable client notifications and accounting events for all TLV changes, where either a new TLV has been received or a previously received TLV has been received with a different value using CLI commands.
The device sensor's port security protects the switch from consuming memory and crashing during deliberate or unintentional denial-of-service (DoS) type attacks. The sensor limits the maximum device monitoring sessions to 32 per port (access ports and trunk ports). In case of lack of activity from hosts, the age session time is 12 hours.
How to Configure Device Sensor
The device sensor is enabled by default. These tasks are applicable only if you want to configure the sensor based on your specific requirements.
- Enabling Accounting Augmentation
- Creating a Cisco Discovery Protocol Filter
- Creating an LLDP Filter
- Creating a DHCP Filter
- Applying a Protocol Filter to the Sensor Output
- Tracking TLV Changes
- Verifying the Device Sensor Configuration
- Troubleshooting Tips
Enabling Accounting Augmentation
For the sensor protocol data to be added to the accounting messages, you must enable session accounting by using the following standard authentication, authorization, and accounting (AAA), and RADIUS configuration commands:
Device(config)#aaa new-model Device(config)#aaa accounting dot1x default start-stop group radius Device(config)#radius-server host{hostname | ip-address}[auth-port port-number][acct-port port-number][timeout seconds][retransmit retries][key string] Device(config)#radius-server vsa send accounting
DETAILED STEPS
Creating a Cisco Discovery Protocol Filter
Perform this task to create a Cisco Discovery Protocol filter containing a list of TLVs that can be included or excluded in the device sensor output.
DETAILED STEPS
Creating an LLDP Filter
Perform this task to create an LLDP filter containing a list of TLVs that can be included or excluded in the device sensor output.
DETAILED STEPS
Creating a DHCP Filter
Perform this task to create a DHCP filter containing a list of options that can be included or excluded in the device sensor output.
DETAILED STEPS
Applying a Protocol Filter to the Sensor Output
Perform this task to apply a Cisco Discovery Protocol, LLDP, or DHCP filter to the sensor output. Session notifications are sent to internal sensor clients and accounting requests.
DETAILED STEPS
Tracking TLV Changes
Perform this task to enable client notifications and accounting events for all TLV changes. By default, for each supported peer protocol, client notifications and accounting events will only be generated where an incoming packet includes a TLV that has not previously been received in the context of a given session.
DETAILED STEPS
Verifying the Device Sensor Configuration
DETAILED STEPS
Configuration Examples for the Device Sensor Feature
Examples: Configuring the Device Sensor
The following example shows how to create a Cisco Discovery Protocol filter containing a list of TLVs:
Device> enable Device# configure terminal Device(config)# device-sensor filter-list cdp list cdp-list Device(config-sensor-cdplist)# tlv name address-type Device(config-sensor-cdplist)# tlv name device-name Device(config-sensor-cdplist)# tlv number 34 Device(config-sensor-cdplist)# end
The following example shows how to create an LLDP filter containing a list of TLVs:
Device> enable Device# configure terminal Device(config)# device-sensor filter-list lldp list lldp-list Device(config-sensor-lldplist)# tlv name chassis-id Device(config-sensor-lldplist)# tlv name management-address Device(config-sensor-lldplist)# tlv number 28 Device(config-sensor-lldplist)# end
The following example shows how to create a DHCP filter containing a list of options:
Device> enable Device# configure terminal Device(config)# device-sensor filter-list dhcp list dhcp-list Device(config-sensor-lldplist)# option name address-type Device(config-sensor-lldplist)# option name device-name Device(config-sensor-lldplist)# option number 34 Device(config-sensor-lldplist)# end
The following example shows how to apply a Cisco Discovery Protocol TLV filter list to the device sensor output:
Device> enable Device# configure terminal Device(config)# device-sensor filter-spec cdp include cdp-list1
The following example shows how to enable client notifications and accounting events for all TLV changes:
Device> enable Device# configure terminal Device(config)# device-sensor notify all-changes
Additional References
Technical Assistance
Description | Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Device Sensor
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Device Sensor |
Feature Name | Releases | Feature Information |
---|---|---|
Device Sensor |
Cisco IOS XE Release 3.3 SG |
The Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol, Link Layer Discovery Protocol (LLDP), and DHCP. The endpoint data that is gathered is made available to registered clients in the context of an access session. The following commands were introduced or modified: debug device-sensor, device-sensor accounting, device-sensor filter-list cdp, device-sensor filter-list dhcp, device-sensor filter-list lldp, device-sensor filter-spec, device-sensor notify, and show device-sensor cache. |