https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595166#M517863 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>reply sent via another route/email but pasting here as well for completeness:</P><P></P><P>There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.</P><P>So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.</P><P></P><P>As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.</P><P>So, it is not an ISE function which should be used.</P><P>Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).</P><P></P><P>Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:</P><P>a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.</P><P>b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.</P><P></P><P>There are some documents available talking about monitor mode:</P><P><A class="jive-link-wiki-small" data-containerid="5301" data-containertype="14" data-objectid="68150" data-objecttype="102" href="https://communities.cisco.com/docs/DOC-68150">https://communities.cisco.com/docs/DOC-68150</A></P><P><A class="jive-link-wiki-small" data-containerid="5301" data-containertype="14" data-objectid="68151" data-objecttype="102" href="https://communities.cisco.com/docs/DOC-68151">https://communities.cisco.com/docs/DOC-68151</A></P><P></P><P>Hope this has been useful, any further questions then please come back.</P><P></P><P>Cheers, Jonothan.</P></BODY></HTML> Wed, 14 Feb 2018 17:03:18 GMT jeaves@cisco.com 2018-02-14T17:03:18Z https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595164#M517855 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt; font-family: arial, helvetica, sans-serif;">As far as I understand, purpose of enabling monitoring mode is to <SPAN style="color: #58585b; font-style: normal; font-weight: 400; text-align: start; text-indent: 0px;">identify behavior for Cisco TrustSec deployments.</SPAN></SPAN></P><P><SPAN style="color: #58585b; font-family: arial, helvetica, sans-serif; font-style: normal; font-weight: 400; text-align: start; text-indent: 0px; font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="color: #58585b; font-family: arial, helvetica, sans-serif; font-style: normal; font-weight: 400; text-align: start; text-indent: 0px; font-size: 10pt;">It is hard to find out documentation about this topic. I have found report in ISE "RBACL Drop Summary" that uses </SPAN><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Flexible NetFlow Export.</SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">Is there configuration how this is done, what fields are necessary to be exported?</SPAN></P><P></P><P><SPAN style="font-family: arial, helvetica, sans-serif; font-size: 10pt;">What is the best practice to deploy monitor mode and how to <SPAN style="color: #58585b; font-style: normal; font-weight: 400; text-align: start; text-indent: 0px;">monitor and identify influence of the RBACL on the traffic?</SPAN></SPAN></P><P><SPAN style="color: #58585b; font-family: arial, helvetica, sans-serif; font-style: normal; font-weight: 400; text-align: start; text-indent: 0px; font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="text-indent: 0px; color: #58585b; text-align: start; font-style: normal; font-size: 10pt; font-family: arial, helvetica, sans-serif; font-weight: 400;">BR Milan</SPAN></P></BODY></HTML> Tue, 13 Feb 2018 13:12:50 GMT https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595164#M517855 m.markocevic 2018-02-13T13:12:50Z https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595165#M517860 <HTML><HEAD></HEAD><BODY><P>May I suggest posting TrustSec questions to the TrustSec Community?</P><P><A href="https://community.cisco.com/space/5320">TrustSec</A></P></BODY></HTML> Wed, 14 Feb 2018 15:01:15 GMT https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595165#M517860 Craig Hyps 2018-02-14T15:01:15Z https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595166#M517863 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>reply sent via another route/email but pasting here as well for completeness:</P><P></P><P>There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.</P><P>So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.</P><P></P><P>As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.</P><P>So, it is not an ISE function which should be used.</P><P>Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).</P><P></P><P>Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:</P><P>a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.</P><P>b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.</P><P></P><P>There are some documents available talking about monitor mode:</P><P><A class="jive-link-wiki-small" data-containerid="5301" data-containertype="14" data-objectid="68150" data-objecttype="102" href="https://communities.cisco.com/docs/DOC-68150">https://communities.cisco.com/docs/DOC-68150</A></P><P><A class="jive-link-wiki-small" data-containerid="5301" data-containertype="14" data-objectid="68151" data-objecttype="102" href="https://communities.cisco.com/docs/DOC-68151">https://communities.cisco.com/docs/DOC-68151</A></P><P></P><P>Hope this has been useful, any further questions then please come back.</P><P></P><P>Cheers, Jonothan.</P></BODY></HTML> Wed, 14 Feb 2018 17:03:18 GMT https://community.cisco.com/t5/network-access-control/trustsec-monitor-mode/m-p/3595166#M517863 jeaves@cisco.com 2018-02-14T17:03:18Z