Solved: Incomplete visibility in to Logs by enabling Log suppression

umahar · ‎05-27-2016

Hello,

We were seeing high frequency of "High Average Load" alarm on M&T and had to enable log suppression to avoid this alarm.

However after log suppression the customer states that they do not have complete visibility over the logs.

For example a rogue devices trying to connect via different ports on a switch is not generating different events.

Is there a way to have more visibility on the logs by increasing the specs of M&T.

Do we also have a EPS of M&T in terms of logs.

Its a 250,000 endpoint cluster with 35+ PSNs.

howon · ‎05-27-2016

Utkarsh, the EPS will depend on many factors. In the case of wired access need to find out if re-auth is enabled for the sessions and how often the ACCT update is being sent to ISE among other factors. In the case of wireless access it also depends on the interim accounting setting on the WLAN as well as the user behavior. I suggest going through one of the 'BRKSEC-3699 Designing ISE for Scale & High-Availability' Session available in the ciscolive.com archive to get better understanding of options.

Hosuk

View solution in original post

howon · ‎05-27-2016

Utkarsh, the EPS will depend on many factors. In the case of wired access need to find out if re-auth is enabled for the sessions and how often the ACCT update is being sent to ISE among other factors. In the case of wireless access it also depends on the interim accounting setting on the WLAN as well as the user behavior. I suggest going through one of the 'BRKSEC-3699 Designing ISE for Scale & High-Availability' Session available in the ciscolive.com archive to get better understanding of options.

Hosuk