Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4267
Views
10
Helpful
5
Replies

Live Logs for TrustSec?

Go to solution
scsc_tech
Level 1
Level 1

‎05-29-2019 08:02 AM

Is there a feature like RADIUS Live Logs for TrustSec?

I want to be able to see if someone is hitting a SGACL rule for troubleshooting and auditing.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-29-2019 08:21 AM - edited ‎05-29-2019 09:25 AM

These statistics are not reported to ISE. You are only able to view hits on the SGACL where the enforcement takes place. On a 3850 for example, you can run show cisco trustSec role-based counters ipv4 to see hits incrementing, but it is not split by IP, just SGT to SGT.

You can export deny and drop events via netflow to something like stealthwatch. I have not done this before, so i'm not certain what the reporting looks like on the collector.

This is one area that I think is a challenge with TrustSec, you decentralize your enforcement away from firewalls that log in great detail.

View solution in original post

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to scsc_tech

‎05-30-2019 02:06 AM

Yes, there is/was a report in ISE reporting on SGACL drops but the ONLY platform that exported drop information is/was the Cat6500. This is not something that has been expanded to other platforms and has not been maintained; that feature is not of use to you as it stands.

Your friend here is the 'log' keyword at the end of the SGACE's, for example, 'deny ip log'. This will generate syslog messages for hits which can be reported on via the likes of SIEM tools like Splunk for example.

And as was stated, Stealthwatch can receive Netflow records with SGT/DGT information and can report on flows in the network and hence, enforcement operation deduced.

There are programs in place to provide further tools for enhancing visibility, stay tuned...

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎05-29-2019 08:21 AM - edited ‎05-29-2019 09:25 AM

These statistics are not reported to ISE. You are only able to view hits on the SGACL where the enforcement takes place. On a 3850 for example, you can run show cisco trustSec role-based counters ipv4 to see hits incrementing, but it is not split by IP, just SGT to SGT.

You can export deny and drop events via netflow to something like stealthwatch. I have not done this before, so i'm not certain what the reporting looks like on the collector.

This is one area that I think is a challenge with TrustSec, you decentralize your enforcement away from firewalls that log in great detail.

0 Helpful

Go to solution
scsc_tech
Level 1
Level 1
In response to Damien Miller

‎05-29-2019 11:32 AM

Thanks,

I did see a report in ISE that was for SGACL Drops and it reinforced what you said that netflow would have to be enabled on the switch to report these events to ISE

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee
In response to scsc_tech

‎05-30-2019 02:06 AM

Yes, there is/was a report in ISE reporting on SGACL drops but the ONLY platform that exported drop information is/was the Cat6500. This is not something that has been expanded to other platforms and has not been maintained; that feature is not of use to you as it stands.

Your friend here is the 'log' keyword at the end of the SGACE's, for example, 'deny ip log'. This will generate syslog messages for hits which can be reported on via the likes of SIEM tools like Splunk for example.

And as was stated, Stealthwatch can receive Netflow records with SGT/DGT information and can report on flows in the network and hence, enforcement operation deduced.

There are programs in place to provide further tools for enhancing visibility, stay tuned...

0 Helpful

Go to solution
SergGu
Level 1
Level 1
In response to Damien Miller

‎08-19-2020 02:38 AM

@Damien Miller wrote:

These statistics are not reported to ISE. You are only able to view hits on the SGACL where the enforcement takes place. On a 3850 for example, you can run show cisco trustSec role-based counters ipv4 to see hits incrementing, but it is not split by IP, just SGT to SGT.

Hello @Damien Miller if not too busy, can you please confirm if you have seen this working on 3850. There is contradicting information from Cisco

 

TrustSec 3850 Specific Troubleshooting Information > Counters on the 3850 and 3650 

The role-based counters command is broken on the 3850 and 3650, no data is ever displayed. This is fixed in release 16.6.1.

This is logged as DDTS CSCuu32958 (3850 "show cts role-based counters" not implemented platform limitation).

3850 "show cts role-based counters" not implemented platform limitation CSCuu32958 

3850 does not display any trustsec counters for dataplane.

When executing:
"show cts role-based counters"
We see no counters (while having multiple policies displayed by "sh cts role-based permissons").

That command is necessary for troubleshooting.

That is a platform limitation for both 3650 and 3850. Feature will not be implemented.

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to SergGu

‎08-19-2020 08:59 AM

I have confirmed that "show cts role-based counters" works as expected on a 3850 running both 16.6.7 and 16.9.5.

cts.png

Customers Also Viewed These Support Documents