Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
2
Replies

Wireless Trustsec Enforcement - Troubleshooting in SD-Access

Johannes_Grimm1
Level 1
Level 1

‎10-01-2024 07:43 AM

Hello all,

is there a way to troubleshoot the enforcement of policies in the wireless environment within an SD-Access Fabric? Especially from wireless to wireless and without additional tools like Secure Network Analytics.

On my test environment (Catalyst 9115) I could not get any local logs and no output on debugs like cts enforcement or parser.

Best regards,

Johannes

Labels:
0 Helpful
2 Replies 2

Andrii Oliinyk
VIP
VIP

‎10-01-2024 08:06 AM

u could use tcpdump on the ports to APs to catch VXLAN-traffic to see if target SGT is in VXLAN-header at least. not sure u can do more...

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎10-01-2024 09:15 AM - edited ‎10-01-2024 09:22 AM

"show cts role-base counters" is probably the most popular way to troubleshoot, but of course show commands don't scale too well.  

SNA is currently the state of the art method for a scalable method, specifically the SGT Analytics feature:
https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/sna-trustsec-matrix-analytics-report-aag.html

 

P.S.  wireless and wired SGT enforcement occurs on Fabric Edge, so you should be able to analyze wired user policies the same as wireless (part of the value of SDA is having the same policy enforcement for both)

0 Helpful
Customers Also Viewed These Support Documents