This will be my first post, focussing on Cisco ISE. However, my findings are valid for all products, which relies on OUI database lookups.
Use case: Cisco ISE profiling rules
Profiling enables you to classify end devices by certain attributes, like DHCP options, CDP or LLDP information, NMAP scanning results and so on. Cisco provides a list of pre-built profiles for common end-device types.
However, you can build custom profiling rules for end devices, which are not in this Cisco provided database.
A common matching condition in a profiling rule is the vendor part of the MAC address (encoded in the first 24 bits of the MAC address). The vendor name to MAC mapping can be downloaded by the IEEE (http://standards-oui.ieee.org/oui.txt)
Example:
00-1A-E8 (hex) Unify Software and Solutions GmbH & Co. KG
So if you want to identity and classify a “Unify” device for example, you could build a rule matching the OUI string “Unify Software and Solutions GmbH & Co. KG”. This could be a potential problem if your classification engine dynamically updates the OUI database. This might happen with software updates or some other mechanisms like the “Feed Service” in ISE.
Company names can change (surprise!!!). So today your building a rule matching the OUI of “my company”. Tomorrow “mycompany” is renamed to “my cool company” and your classification rules don’t work anymore!
Just to give a real life example for the MAC mentioned above (00-1A-E8). When googling for 00-1A-E8 and OUI, I got several hits with the same vendor MAC, but different vendor names.
Takeaway:
My consequence is not relying on OUI vendor names for classification rules. I’ll stick with the “MAC address begins with” condition when there is the need to go for a vendor code.
1 Comment
OUI database changes - NetGab - The daily networking madness · 07/06/2017 at 21:55
[…] my initial post (Endpoint classification rules: Caution when using OUI vendor names), I got curious how often and in which way the OUI database changes. I googled around for a […]