I am working in local government and we are modernizing our network to use VRF so we can isolate traffic for security and regulatory compliance reasons. We do have some cross department shared access and communications, as well as enterprise services that go across all departments, but we are trying to isolate everything else based on windows active directory domain user accounts and applications.
I would like to use monitoring logs to help determine what ports and protocols we are currently using, and which applications are using them, and how those relate to individual users.
I am totally new to ISE and ACI and I'm hoping there is some kind of road map or guidelines for observing what is already going on to see what we need in order to set up our rules.
Thanks for any guidance or input you may have to share or offer.
ISE is not a traffic monitoring tool, ISE is used for network access control and segmentation among many others things. If you are looking for someone to monitor traffic you would be better off looking at stealthwatch.
But the segmentation goal you are trying to achieve with VRFs would be much easier to achieve using ISE. ISE is great at segmentation and it is much more dynamic than trying to use VRFs.
I would have your account team reach out to our product managers to discuss this road map and see how they may help. Monitor Ise does not monitor traffic patterns
ISE is not a traffic monitoring tool, ISE is used for network access control and segmentation among many others things. If you are looking for someone to monitor traffic you would be better off looking at stealthwatch.
But the segmentation goal you are trying to achieve with VRFs would be much easier to achieve using ISE. ISE is great at segmentation and it is much more dynamic than trying to use VRFs.
Cory, I said monitoring mode. Not monitoring tool. The implementation guide I read had this as a step before going to low impact mode, and then closed mode. I am interested in using logs when in monitoring mode to help us map out our plan. I'm sorry if it sounded like I'm trying to set up a monitoring tool.
Cory's answer was marked as the solution because it was 100% correct. ISE is not a traffic analysis tool. You need Netflow data into a collector like Stealtwatch to do what you want.
Its pretty vague and generic. Please read my question again. I'm not saying ISE is a traffic analysis tool, but it does offer this: "Monitoring—Provides a real-time presentation of meaningful data representing the state of access activities on a network. This insight allows you to easily interpret and effect operational conditions." https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1056584
That is from the 1.0 guide. Not sure if any of the latest guides say that, but monitoring means collect profiling data to figure out what devices are and/or validate authentication is working. Profiling consists of OUI, DHCP data, NMAP scans, SNMP polling, etc.
I'm trying to see if I can use this to help our engineers figure out which ports and protocols are being used, and by which users.
From there I can cross reference other logging tools that can help me determine which applications are being used so we can plan our Cisco ACI. "Monitoring and Troubleshooting [Cisco Identity Services Engine] - Cisco Systems"
The Monitor tab on the Cisco Identity Services Engine (ISE) home page, also known as the dashboard, provides integrated monitoring, reporting, alerting, and troubleshooting, all from one centralized location.
Monitoring and Troubleshooting [Cisco Identity Services Engine] - Cisco Systems
According to this, I should be able to use the dashboard to get the information I'm seeking. If you don't know how to do this that is fine. But I'm trying to get replies from anyone who does.
The Cisco ISE dashboard provides visibility into configured policies, authentication and authorization activities, profiled endpoints, postured sessions, and guest activities. Likewise, monitoring and troubleshooting capabilities include the following:
A real-time summary of system activity and individual services, as well as a comprehensive at-a-glance view of network activity.
I would have your account team reach out to our product managers to discuss this road map and see how they may help. Monitor Ise does not monitor traffic patterns
All monitor mode means is "Let every device onto the network". Then you can use ISE profiling or authentication to craft your rules to use when you go out of Monitor mode.
A real-time summary of system activity and individual services, as well as a comprehensive at-a-glance view of network activity.
