cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
0
Helpful
1
Replies

Incomplete visibility in to Logs by enabling Log suppression

umahar
Cisco Employee
Cisco Employee

Hello,

We were seeing high frequency of "High Average Load" alarm on M&T and had to enable log suppression to avoid this alarm.

However after log suppression the customer states that they do not have complete visibility over the logs.

For example a rogue devices trying to connect via different ports on a switch is not generating different events.

Is there a way to have more visibility on the logs by increasing the specs of M&T.

Do we also have a EPS of M&T in terms of logs.

Its a 250,000 endpoint cluster with 35+ PSNs.

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Utkarsh, the EPS will depend on many factors. In the case of wired access need to find out if re-auth is enabled for the sessions and how often the ACCT update is being sent to ISE among other factors. In the case of wireless access it also depends on the interim accounting setting on the WLAN as well as the user behavior. I suggest going through one of the 'BRKSEC-3699 Designing ISE for Scale & High-Availability' Session available in the ciscolive.com archive to get better understanding of options.

Hosuk

View solution in original post

1 Reply 1

howon
Cisco Employee
Cisco Employee

Utkarsh, the EPS will depend on many factors. In the case of wired access need to find out if re-auth is enabled for the sessions and how often the ACCT update is being sent to ISE among other factors. In the case of wireless access it also depends on the interim accounting setting on the WLAN as well as the user behavior. I suggest going through one of the 'BRKSEC-3699 Designing ISE for Scale & High-Availability' Session available in the ciscolive.com archive to get better understanding of options.

Hosuk