cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

510
Views
0
Helpful
0
Replies
Highlighted
Beginner

TrustSec SGACL Monitor Mode

Dear Community,

 

We are trying to do a TrustSec SGT enforcement PoC using Catalyst 3850 and 4500X switches and Monitor Mode. At the moment all policies downloaded from ISE are in Monitor Mode only and the switches are behaving correctly meaning enforcement is not happening. 

The problem is with visibility, as soon as the policies go in Monitor Mode (setting from ISE) the switches do not log the traffic matching the SGACLs even if they have the "log" keyword which makes the Monitor Mode not really useful.

In summary the behavior we have seen is as follows: 

Normal enforcing mode 

- Switches are enforcing based on the SGACLs downloaded and logging only "deny log" statements. "Permit log" statements are not logged ! 

 

Monitoring mode

- Switches are not logging anything 

 

Now the questions are, why are the switches not logging in monitor mode, isn't visibility a goal for the monitor mode feature ? And also, why "permit log" statement are not logged in normal mode ? 

 

We are currently using the Everest release. 

 

 

Thanks in advance for your support ! 

Adrian

0 REPLIES 0