cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

303
Views
0
Helpful
2
Replies
brentpavlovich
Beginner

Centralized Reporting for TrustSec SGACLs

Is anyone familiar with a way to centralize the reporting of TrustSec events on switches and routers? Specifically SGACL drop messages. Our network topology consists of around 150 switches (mostly 9200/9300s) and 100 routers (all 4331s or 4431s). Right now the only way we have to tell if traffic is being blocked because of TrustSec is to individually log into each router and switch and look at the log messages. Not only is this not a feasible solution for 250 devices, it doesn't provide long term historical records to look back upon when issues are reported. 

 

Since the log messages are type 6 they dont make it to our logging server so running reports off that isn't an option (unless there is a way to change the message type so the router/switch send it to our remote syslog server???) 

Netflow doesn't seem to contain any useful information in it that can distinguish normal traffic from blocked traffic caused by SGACL drops. I've read a few articles about being able to use netflow to determine this, but seems its only available on 6500 switches. 

 

Just wondering if anyone out there has a good solution for this problem. I single pane of glass sort of speak into TrustSec enforcement. 

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

This is a pain to do on IOS/IOS-XE compared to the way we can modify each logs severity level on the ASA. You can potentially handle this through a tcl script to rewrite the severity level to 5, or another value of your choosing. 

See this page for more information on the process. 
https://flylib.com/books/en/2.286.1/modifying_log_messages.html

View solution in original post

2 REPLIES 2
Damien Miller
VIP Advisor

This is a pain to do on IOS/IOS-XE compared to the way we can modify each logs severity level on the ASA. You can potentially handle this through a tcl script to rewrite the severity level to 5, or another value of your choosing. 

See this page for more information on the process. 
https://flylib.com/books/en/2.286.1/modifying_log_messages.html

View solution in original post

That worked quite well thanks for the suggestion. A little disappointing though there isn't more native built in tools to monitor a TrustSec environment. But this will do for now. 

Content for Community-Ad