Cisco ISE will use Simple Network Management Protocol (SNMP) to query the switch for certain attributes to help identify the devices connected to the switch. We will configure SNMP communities for Cisco ISE to query, as well as SNMP traps to be sent to Cisco ISE.
Step 1 |
Configure a read-only
SNMP community. Cisco ISE needs only "read-only" SNMP commands. Ensure that this community string matches the one configured in the network device object in Cisco ISE.
|
Step 2 |
Configure the switch
to send traps. We will now enable an SNMP trap to be sent with changes to the MAC address table. A trap that includes the device MAC address and interface identifier is sent to Cisco ISE whenever a new address is inserted, removed, or moved in the address table.
|
Step 3 |
Add Cisco ISE as an
SNMP trap receiver. Here, a server is added as a trap receiver for the configured MAC notification.
|
Step 4 |
Configure Dynamic
Host Configuration Protocol (DHCP) snooping for trusted ports. DHCP snooping is not required for Cisco TrustSec 2.1, but it is considered a best practice. Not only does it enable better availability by denying rogue DHCP servers, but it also prepares the switch for other security tools such as Dynamic Address Resolution Protocol (ARP) Inspection. DHCP snooping also helps to prepare the switch for functions coming in later releases of Cisco TrustSec technology. Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as "trusted." Enter interface configuration mode for the uplink interface and configure it as a trusted port.
|
Step 5 |
Enable DHCP
snooping. DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must configure the VLANs it should work with, as follows:
|