cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
678
Views
0
Helpful
0
Replies

TrustSec SGACL Monitor Mode

Adrian Lazar
Level 1
Level 1

Dear Community,

 

We are trying to do a TrustSec SGT enforcement PoC using Catalyst 3850 and 4500X switches and Monitor Mode. At the moment all policies downloaded from ISE are in Monitor Mode only and the switches are behaving correctly meaning enforcement is not happening. 

The problem is with visibility, as soon as the policies go in Monitor Mode (setting from ISE) the switches do not log the traffic matching the SGACLs even if they have the "log" keyword which makes the Monitor Mode not really useful.

In summary the behavior we have seen is as follows: 

Normal enforcing mode 

- Switches are enforcing based on the SGACLs downloaded and logging only "deny log" statements. "Permit log" statements are not logged ! 

 

Monitoring mode

- Switches are not logging anything 

 

Now the questions are, why are the switches not logging in monitor mode, isn't visibility a goal for the monitor mode feature ? And also, why "permit log" statement are not logged in normal mode ? 

 

We are currently using the Everest release. 

 

 

Thanks in advance for your support ! 

Adrian

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: