This will be my first post, focussing on Cisco ISE. However, my findings are valid for all products, which relies on OUI database lookups.<\/p>\n
Use case: Cisco ISE profiling rules However, you can build custom profiling rules for end devices, which are not in this Cisco provided database.<\/p>\n A common matching condition in a profiling rule is the vendor part of the MAC address (encoded in the first 24 bits of the MAC address). The vendor name to MAC mapping can be downloaded by the IEEE (http:\/\/standards-oui.ieee.org\/oui.txt)<\/p>\n Example:<\/p>\n So if you want to identity and classify a “Unify” device for example, you could build a rule matching the OUI string “Unify Software and Solutions GmbH & Co. KG”. This could be a potential problem if your classification engine dynamically updates the OUI database. This might happen with software updates or some other mechanisms like the “Feed Service” in ISE.<\/p>\n Company names can<\/strong> change (surprise!!!). So today your building a rule matching the OUI of “my company”. Tomorrow “mycompany” is renamed to “my cool company” and your classification rules don’t work anymore!<\/p>\n Just to give a real life example for the MAC mentioned above (00-1A-E8). When googling for 00-1A-E8 and OUI, I got several hits with the same vendor MAC, but different vendor names.<\/p>\n Takeaway: <\/p>\n","protected":false},"excerpt":{"rendered":" This will be my first post, focussing on Cisco ISE. However, my findings are valid for all products, which relies on OUI database lookups. Use case: Cisco ISE profiling rulesProfiling enables you to classify end devices by certain attributes, like DHCP options, CDP or LLDP information, NMAP scanning results and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[13,8],"class_list":["post-111","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ise","tag-security"],"yoast_head":"\n
<\/strong>Profiling enables you to classify end devices by certain attributes, like DHCP options, CDP or LLDP information, NMAP scanning results and so on. Cisco provides a list of pre-built profiles for common end-device types.<\/p>\n00-1A-E8 (hex) Unify Software and Solutions GmbH & Co. KG<\/code><\/p>\n
<\/strong>My consequence is not relying on OUI vendor names for classification rules. I’ll stick with the “MAC address begins with” condition when there is the need to go for a vendor code.<\/p>\n