Information About SISF-Based Device Tracking
Overview of SISF-Based Device Tracking
The Switch Integrated Security Features based (SISF-based) device tracking feature is part of the suite of first-hop security features.
The main role of the feature is to track the presence, location, and movement of end-nodes in the network. SISF snoops traffic received by the switch, extracts device identity (MAC and IP address), and stores them in a binding table. Many features, such as, IEEE 802.1X, web authentication, Cisco TrustSec and LISP etc., depend on the accuracy of this information to operate properly.
SISF-based device tracking supports both IPv4 and IPv6.
Even with the introduction of SISF-based device tracking, the legacy device tracking CLI (IP Device Tracking (IPDT) and IPv6 Snooping CLI) continues to be available. When you bootup the switch, the set of commands that is available depends on existing configuration, and only one of the following is available:
-
SISF-based device tracking CLI, or
-
IPDT and IPv6 Snooping CLI
Note |
The IPDT and IPv6 Snooping commands are deprecated, but continue to be available. We recommend that you upgrade to SISF-based device tracking. |
If you are using the IPDT and IPv6 Snooping CLI and want to migrate to SISF-based device tracking, see Migrating from legacy IPDT and IPv6 Snooping to SISF-Based Device Tracking, for more information.
SISF-based device tracking can be enabled manually (by using device-tracking commands), or programmatically (which is the case when providing device tracking services to other features).
Options to Enable SISF-Based Device Tracking
SISF-Based device tracking is disabled by default.
You can enable it by defining a device tracking policy and attaching the policy to a specific target.
Note |
The target could be an interface or a VLAN. |
Manually Enabling SISF-Based Device Tracking
-
Option 1: Apply the default device tracking policy to a target.
Enter the device-tracking command in the interface configuration mode or in the VLAN configuration mode. The system then attaches the default policy it to the interface or VLAN.
Note
The default policy is a built-in policy with default settings; you cannot change any of the attributes of the default policy. In order to be able to configure device tracking policy attributes you must create a custom policy. See Option 2: Create a custom policy with custom settings.
-
Option 2: Create a custom policy with custom settings.
Enter the device-tracking policy command in global configuration mode and enter a custom policy name. The system creates a policy with the name you specify. You can then configure the available settings, in the device tracking configuration mode (config-device-tracking), and attach the policy to a specified target.
Programmatically Enabling SISF-Based Device Tracking
Some features rely on device tracking and utilize the trusted database of binding entries that SISF-based device tracking builds and maintains. These features, also called device tracking clients, enable device tracking programmatically (create and attach the device tracking policy).
Note |
The exceptions here are IEEE 802.1X, web authentication, Cisco TrustSec, and IP Source Guard (IPSG) - they also rely on device tracking, but they do not enable it. For these device tracking clients, you must enter the ip dhcp snooping vlan vlan command, to programmatically enable device tracking on a particular target. |
Note the following about programmatically enabling SISF-based device tracking:
-
A device tracking client requires device tracking to be enabled.
There are several device tracking clients, therefore, multiple programmatic policies could be created. The settings of each policy differ depending on the device tracking client that creates the policy.
-
The policy that is created, and its settings, are system-defined.
Configurable policy attributes are available in the device tracking configuration mode (config-device-tracking) and vary from one release to another. If you try to modify an attribute that is not configurable, the configuration change is rejected and an error message is displayed.
For release-specific information about programmatically created policies, see Programmatically Enabling SISF-Based Device Tracking in Cisco IOS XE <release name> <release number> in the required version of the document.
Migrating from Legacy Commands to SISF-Based Device-Tracking Commands
Migrating from Legacy IPDT and IPv6 Snooping to SISF-Based Device Tracking
Starting with Cisco IOS XE Denali 16.1.1, the existing IPv6 snooping and IP Device Tracking (IPDT) commands have corresponding SISF-based device-tracking commands that allow you to apply your configuration to both IPv4 and IPv6 address families.
After you have upgraded from a Cisco IOS XE 3.x.x release to a Cisco IOS XE 16.x.x release, enter the device-tracking upgrade-cli to convert legacy IPDT and IPv6 Snooping commands to SISF-based device tracking commands. After you run the command, only the new device-tracking commands are available on your device and the legacy commands are not supported.
Based on the legacy configuration that exists on your device, the device-tracking upgrade-cli command upgrades your CLI differently. Consider the following configuration scenarios and the corresponding migration results before you migrate your existing configuration.
Note |
You cannot configure a mix of the old IPDT and IPv6 snooping CLI with the new SISF-based device-tracking CLI. |
Only IPDT Configuration Exists
If your device has only IPDT configuration, running the device-tracking upgrade-cli command converts the configuration to use the new SISF policy that is created and attached to the interface. You can then update this SISF policy.
If you continue to use the legacy commands, this restricts you to operate in a legacy mode where only the legacy IPDT and IPv6 snooping commands are available on the device.
Only IPv6 Snooping Configuration Exists
On a device with existing IPv6 snooping configuration, the old IPv6 Snooping commands are available for further configuration. The following options are available:
-
(Recommended) Use the device-tracking upgrade-cli command to convert all your legacy configuration to the new SISF-based device tracking commands. After conversion, only the new device tracking commands will work on your device.
-
Use the legacy IPv6 Snooping commands for your future configuration and do not run the device-tracking upgrade-cli command. With this option, only the legacy IPv6 Snooping commands are available on your device, and you cannot use the new SISF-based device tracking CLI commands.
Both IPDT and IPv6 Snooping Configuration Exist
On a device that has both legacy IPDT configuration and IPv6 snooping configuration, you can convert legacy commands to the SISF-based device tracking CLI commands. However, note that only one snooping policy can be attached to an interface, and the IPv6 snooping policy parameters override the IPDT settings.
Note |
If you do not migrate to the new SISF-based commands and continue to use the legacy IPv6 snooping or IPDT commands, your IPv4 device tracking configuration information may be displayed in the IPv6 snooping commands, as the SISF-based device tracking feature handles both IPv4 and IPv6 configuration. To avoid this, we recommend that you convert your legacy configuration to SISF-based device tracking commands. |
No IPDT or IPv6 Snooping Configuration Exists
If your device has no legacy IP Device Tracking or IPv6 Snooping configurations, you can use only the new SISF-based device tracking commands for all your future configuration. The legacy IPDT commands and IPv6 snooping commands are not available.
Note |
Starting from Cisco IOS XE Denali 16.3.1, the ip dhcp snooping vlan vlan command creates a device tracking policy programmatically, to support the IEEE 802.1X, web authentication, Cisco TrustSec and IPSG features. The programmatically created policy tracks both IPv4 and IPv6 clients. Ensure that this command is configured, if you are using any of the aforementioned features. |
IPDT, IPv6 Snooping, and SISF-Based Device Tracking CLI Compatibility
Table Table 1 displays legacy IPDT and the IPv6 snooping commands they are converted to. (The commands listed here are applicable if you have not upgraded to SISF-based device-tracking).
Table Table 2 displays legacy IPDT and the SISF-based device-tracking commands. (The commands listed here are applicable if you have upgraded to SISF-based device-tracking, with the device-tracking upgrade-cli command.)
Legacy IP Device Tracking (IPDT) |
IPv6 Snooping Command (Until Cisco IOS XE Denali 16.3.6 and Cisco IOS XE Everest 16.5.x) |
IPv6 Snooping Command (Starting from Cisco IOS XE Denali 16.3.7 and all later releases except Cisco IOS XE Everest 16.5.x). |
||
---|---|---|---|---|
ip device tracking probe count |
Set to the default value, and cannot be changed. |
Set to the default value, and cannot be changed. |
||
ip device tracking probe delay |
ipv6 neighbor binding reachable-lifetime
|
Set to the default value, and cannot be changed |
||
ip device tracking probe interval |
ipv6 snooping tracking retry-interval
|
ipv6 neighbor binding reachable-lifetime |
||
ip device tracking probe use-svi |
Set to the default behavior, and cannot be changed. |
Set to the default behavior, and cannot be changed. |
||
ip device tracking probe auto-source [ fallback host-ip-address subnet-mask ][ override] |
ipv6 neighbor tracking auto-source[ fallback host-ip-address subnet-mask] [ override] |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking trace-buffer |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking maximum n |
ipv6 snooping policy IPDT_MAX_n[ limit address-count] |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking maximum 0 |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
clear ip device tracking all |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |
Legacy IPDT |
SISF-Based Device-Tracking After SISF Conversion (Until Cisco IOS XE Denali 16.3.6 and in Cisco IOS XE Everest 16.5.1a ) |
SISF-Based Device-Tracking After SISF Conversion (Starting from Cisco IOS XE Denali 16.3.7 and all later releases except Cisco IOS XE Everest 16.5.1a). |
||
---|---|---|---|---|
ip device tracking probe count |
Set to the default value, and cannot be changed. |
Set to the default value, and cannot be changed. |
||
ip device tracking probe delay |
device-tracking binding reachable-lifetime
|
Set to the default value, and cannot be changed. | ||
ip device tracking probe interval |
device-tracking tracking retry-interval
|
device-tracking binding reachable-lifetime |
||
ip device tracking probe use-svi |
Set to the default behaviour and cannot be changed. |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking probe auto-source [ fallback host-ip-address subnet-mask ][ override] |
device-tracking tracking auto-source[ fallback host-ip-address subnet-mask] [ override] |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking trace-buffer |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking maximum n |
device-tracking snooping policy IPDT_MAX_n[ limit address-count] |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
ip device tracking maximum 0 |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |
||
clear ip device tracking all |
Not supported |
No change, same as Cisco IOS XE Denali 16.3.6 |