Procedure 4 - Configure The Switch To Allow Profiling To / From Cisco ISE.

Cisco ISE will use Simple Network Management Protocol (SNMP) to query the switch for certain attributes to help identify the devices connected to the switch. We will configure SNMP communities for Cisco ISE to query, as well as SNMP traps to be sent to Cisco ISE.

Step 1
Configure a read-only SNMP community.

Cisco ISE needs only "read-only" SNMP commands. Ensure that this community string matches the one configured in the network device object in Cisco ISE.

  • C3750X(config)#snmp-server community community_string RO
Step 2
Configure the switch to send traps.

We will now enable an SNMP trap to be sent with changes to the MAC address table. A trap that includes the device MAC address and interface identifier is sent to Cisco ISE whenever a new address is inserted, removed, or moved in the address table.

  • C3750X(config)#snmp-server enable traps mac-notification change move threshold
Step 3
Add Cisco ISE as an SNMP trap receiver.

Here, a server is added as a trap receiver for the configured MAC notification.

  • C3750X(config)#snmp-server host ise_ip_address version 2c community_string mac-notification
Step 4
Configure Dynamic Host Configuration Protocol (DHCP) snooping for trusted ports.

DHCP snooping is not required for Cisco TrustSec 2.1, but it is considered a best practice. Not only does it enable better availability by denying rogue DHCP servers, but it also prepares the switch for other security tools such as

Dynamic Address Resolution Protocol (ARP) Inspection. DHCP snooping also helps to prepare the switch for functions coming in later releases of Cisco TrustSec technology.

Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as "trusted." Enter interface configuration mode for the uplink interface and configure it as a trusted port.

  • C3750X(config)#interface interface_name
  • C3750X(config-if)#ip dhcp snooping trust
Step 5
Enable DHCP snooping.

DHCP snooping is enabled at global configuration mode. After enabling DHCP snooping, you must configure the VLANs it should work with, as follows:

  • C3750X(config)#ip dhcp snooping
  • C3750X(config)#ip dhcp snooping vlan vlan_id_or_vlan_range