DHCP Gleaning

In this topic, you will learn how to configure DHCP Gleaning on youy Cisco Catalyst switch, if available. This will allow Portnox Cloud to perform IoT fingerprinting and anti-spoofing with no need for a dedicated DHCP forwarder.

DHCP Gleaning is a passive DHCP snooping functionality available on select Cisco Catalyst switches and wireless LAN controllers (WLCs). When combined with the Cisco Device Sensor feature, the switch or WLC reads DHCP packets from connected devices without blocking or modifying them, and forwards the collected DHCP fingerprinting data to Portnox Cloud via RADIUS accounting packets. This eliminates the need to deploy a dedicated DHCP forwarder or configure a separate router for DHCP packet forwarding.

Warning:
The configuration instructions in this topic apply to traditional Cisco IOS. Command syntax and availability may differ in Cisco IOS XE, but the same underlying principles apply. Always consult the documentation for your specific switch model and software version before configuring this feature.

At the time of writing, the following Cisco switch and WLC platforms support DHCP Gleaning with Device Sensor:

Wired switches

  • Cisco Catalyst 3850 Series
  • Cisco Catalyst 3750-X Series
  • Cisco Catalyst 3750E Series
  • Cisco Catalyst 3750 v2 Series
  • Cisco Catalyst 3560-X Series
  • Cisco Catalyst 3560CX Series
  • Cisco Catalyst 3560 v2 Series
  • Cisco Catalyst 2960-X Series
  • Cisco Catalyst 2960-XR Series
  • Cisco Catalyst 4500-E with Supervisor Engine 7E
  • Cisco Catalyst 4500-E with Supervisor Engine 7LE
  • Cisco Catalyst 4500-E with Supervisor Engine 8E
  • Cisco Catalyst 4900M Series
  • Cisco Catalyst 4900E Series
  • Cisco Catalyst 4900E-F
  • Cisco Catalyst 4948E-F
  • Cisco Catalyst 4948E
  • Cisco Catalyst 6500 with Supervisor Engine 2T
  • Cisco Catalyst 6500 with Supervisor Engine 6T
  • Cisco Catalyst 9000 Family

Wireless LAN controllers

  • Cisco Catalyst 9800 Series WLC
  • Cisco 8500 Series WLC
  • Cisco 7500 Series WLC
  • Cisco 5508 WLC
  • Cisco WiSM2 WLC
  • Cisco 3504 WLC
  • Cisco 2504 WLC
  • Cisco Catalyst Virtual WLC (vWLC)
Note:
Complete the steps below after adding a RADIUS server to your switch configuration. For instructions on configuring RADIUS on Cisco switches and wireless controllers, see Ethernet 802.1X configuration – Cisco (most models) and Wi-Fi employee access – Cisco Wireless Controller.
  1. Enable IP Device Tracking (IPDT).

    IP Device Tracking tracks the association between host IP addresses and their MAC addresses.

    ip device tracking
    Note:
    Starting with Cisco IOS XE Denali 16.1.1, the IPDT commands have changed. Use the following commands instead: 
    device-tracking policy IPDT_POLICY
  tracking enable
  2. Apply the IPDT policy to all access port interfaces.

    Device-tracking policies apply only to configured switch port interfaces. Adjust the interface number to match your environment and repeat for each relevant access port on the switch:

    interface GigabitEthernet 1/0/1
  device-tracking attach-policy IPDT_POLICY
  3. Disable IPDT on trunk interfaces to prevent unnecessary tracking.

    Adjust the interface number to match your environment:

    interface TenGigabitEthernet 1/0/1
  ip device tracking maximum 0
  4. Enable Cisco Device Sensor accounting.

    Device Sensor must be enabled for Portnox Cloud advanced IoT fingerprinting:

    device-sensor accounting
  5. Enable Device Sensor change notifications.

    This enables notifications to Portnox Cloud when Device Sensor detects changes in endpoint data:

    device-sensor notify all-changes
  6. Enable DHCP snooping globally. 
    ip dhcp snooping
  7. Enable DHCP snooping on the client access VLANs.

    Adjust the VLAN range to match your environment:

    ip dhcp snooping vlan 1-1000
  8. Configure and apply the DHCP Device Sensor filter list. 
    device-sensor filter-list dhcp list DHCP-SENSOR-LIST
  option name host-name
  option name domain-name
  option name requested-address
  option name server-identifier
  option name parameter-request-list
  option name class-identifier
  option name client-identifier
  option name boot-file
  option name user-class-id
  option name client-fqdn
  option name pxe-client-arch
  option name pxe-client-network-id
  option name pxe-client-machine-id
  option name v-i-vendor-class
device-sensor filter-spec dhcp include list DHCP-SENSOR-LIST
  9. Configure and apply the mDNS Device Sensor filter list.

    This enables potential future advanced fingerprinting of mDNS-compatible devices by Portnox Cloud, such as Axis and Pelco cameras:

    device-sensor filter-list mdns list MDNS-SENSOR-LIST
  tlv name pointer-records
  tlv name text-records
  tlv name srv-records
  tlv name device-version
device-sensor filter-spec mdns include MDNS-SENSOR-LIST
  10. Verify that CDP and LLDP are enabled on the switch.

    CDP and LLDP must be running before their Device Sensor attributes can be collected:

    cdp run
lldp run
  11. Configure and apply the CDP Device Sensor filter list.

    This enables potential future advanced fingerprinting of CDP-capable endpoints by Portnox Cloud:

    device-sensor filter-list cdp list CDP-SENSOR-LIST
  tlv name device-name
  tlv name address-type
  tlv name capabilities-type
  tlv name version-type
  tlv name platform-type
device-sensor filter-spec cdp include list CDP-SENSOR-LIST
  12. Configure and apply the LLDP Device Sensor filter list.

    This enables potential future advanced fingerprinting of LLDP-capable endpoints by Portnox Cloud:

    device-sensor filter-list lldp list LLDP-LIST
  tlv name chassis-id
  tlv name port-id
  tlv name time-to-live
  tlv name port-description
  tlv name system-name
  tlv name system-description
  tlv name system-capabilities
  tlv name management-address
device-sensor filter-spec lldp include list LLDP-LIST