Figured it out. N7k's handle

Dave Saunders · ‎04-15-2015

We have a full deployment of ISE, Trustsec, UCS, 1000v and Nexus 7k's to secure our virtual shared desktop and VDI enviroments. It all works, RBACL policys gets pushed, updates and enforces policy. The " show cts role-based counters" command works but individual logging on specific SGL's don't log to the N7k's even though the counters accumulate. Any one have any ideas? Below is a copy of one of my test SGL's outputs.

T

sgt:200(VDI_nfrastructure) dgt:1028(172_17_204_0)       [73654]
rbacl:Test_172_17_204_0
        permit tcp dst eq 22    [0]
        permit tcp dst eq 80    [0]
        permit tcp dst eq 443   [0]
        permit tcp dst eq 1494 [0]
        permit tcp dst eq 2598 [0]
        permit tcp dst eq 3010 [0]
        permit tcp dst eq 8010 [0]
        permit tcp dst eq 8080 [0]
        permit tcp dst eq 8081 [0]
        permit ip log   [73654]

Dave Saunders · ‎04-16-2015

Figured it out. N7k's handle logging differenty. Use this command on N7k's

show logging ip access-list cache

GR-N7K-2-CORE# show logging ip access-list cache
Src IP Dst IP S-Port D-Port Src Intf Protocol Hits
------------------------------------------------------------------------------------------------
10.50.2.8 10.50.1.100 34738 80 port-channel101 (6)TCP 0
10.50.2.8 204.180.133.2 39 34710 443 port-channel91 (6)TCP 0
10.50.2.9 10.11.20.200 2370 443 port-channel92 (6)TCP 9
10.50.2.7 10.50.1.105 5065 61896 port-channel101 (6)TCP 1
10.50.2.9 10.11.20.200 2384 443 port-channel92 (6)TCP 0
10.50.2.9 10.11.20.200 2358 443 port-channel92 (6)TCP 0

ISE, Trustsec, 1000v and Nexus 7k's to secure our VDI enviroments.