04-15-2015 07:15 AM - edited 03-07-2019 11:33 PM
We have a full deployment of ISE, Trustsec, UCS, 1000v and Nexus 7k's to secure our virtual shared desktop and VDI enviroments. It all works, RBACL policys gets pushed, updates and enforces policy. The " show cts role-based counters" command works but individual logging on specific SGL's don't log to the N7k's even though the counters accumulate. Any one have any ideas? Below is a copy of one of my test SGL's outputs.
T
sgt:200(VDI_nfrastructure) dgt:1028(172_17_204_0) [73654]
rbacl:Test_172_17_204_0
permit tcp dst eq 22 [0]
permit tcp dst eq 80 [0]
permit tcp dst eq 443 [0]
permit tcp dst eq 1494 [0]
permit tcp dst eq 2598 [0]
permit tcp dst eq 3010 [0]
permit tcp dst eq 8010 [0]
permit tcp dst eq 8080 [0]
permit tcp dst eq 8081 [0]
permit ip log [73654]
04-16-2015 10:47 AM
Figured it out. N7k's handle logging differenty. Use this command on N7k's
show logging ip access-list cache
GR-N7K-2-CORE# show logging ip access-list cache
Src IP Dst IP S-Port D-Port Src Intf Protocol Hits
------------------------------------------------------------------------------------------------
10.50.2.8 10.50.1.100 34738 80 port-channel101 (6)TCP 0
10.50.2.8 100.1.20.76 34823 80 port-channel91 (6)TCP 6
10.50.2.8 204.180.133.2 39 34710 443 port-channel91 (6)TCP 0
10.50.2.8 100.1.20.34 34797 88 port-channel101 (6)TCP 0
10.50.2.9 10.11.20.200 2370 443 port-channel92 (6)TCP 9
10.50.2.7 10.50.1.105 5065 61896 port-channel101 (6)TCP 1
10.50.2.9 10.11.20.200 2384 443 port-channel92 (6)TCP 0
10.50.2.7 100.1.20.21 6921 445 port-channel101 (6)TCP 0
10.50.2.9 10.11.20.200 2358 443 port-channel92 (6)TCP 0
10.50.2.8 100.1.20.4 34795 88 port-channel101 (6)TCP 8
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide