Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
1
Replies

N7k's and Trustsec logging

Dave Saunders
Level 1
Level 1

‎04-15-2015 07:15 AM - edited ‎03-07-2019 11:33 PM

We have a full deployment of ISE, Trustsec, UCS, 1000v and Nexus 7k's to secure our virtual shared desktop and VDI enviroments. It all works, RBACL policys gets pushed, updates and enforces policy. The " show cts role-based counters" command works but individual logging on specific SGL's don't log to the N7k's even though the counters accumulate. Any one have any ideas? Below is a copy of one of my test SGL's outputs.

T

 

sgt:200(VDI_nfrastructure) dgt:1028(172_17_204_0) [73654]
rbacl:Test_172_17_204_0
permit tcp dst eq 22 [0]
permit tcp dst eq 80 [0]
permit tcp dst eq 443 [0]
permit tcp dst eq 1494 [0]
permit tcp dst eq 2598 [0]
permit tcp dst eq 3010 [0]
permit tcp dst eq 8010 [0]
permit tcp dst eq 8080 [0]
permit tcp dst eq 8081 [0]
permit ip log [73654]

Labels:
0 Helpful
1 Reply 1

Dave Saunders
Level 1
Level 1

‎04-16-2015 10:47 AM

Figured it out. N7k's handle logging differenty. Use this command on N7k's

show logging ip access-list cache

GR-N7K-2-CORE# show logging ip access-list cache
Src IP        Dst IP     S-Port    D-Port    Src Intf         Protocol           Hits
------------------------------------------------------------------------------------------------
10.50.2.8        10.50.1.100        34738   80        port-channel101 (6)TCP                0
10.50.2.8        100.1.20.76        34823   80        port-channel91 (6)TCP                6
10.50.2.8        204.180.133.2 39    34710   443       port-channel91 (6)TCP                0
10.50.2.8        100.1.20.34        34797   88        port-channel101 (6)TCP                0
10.50.2.9        10.11.20.200       2370    443       port-channel92 (6)TCP                9
10.50.2.7        10.50.1.105        5065    61896     port-channel101 (6)TCP                1
10.50.2.9        10.11.20.200       2384    443       port-channel92 (6)TCP                0
10.50.2.7        100.1.20.21        6921    445       port-channel101 (6)TCP                0
10.50.2.9        10.11.20.200       2358    443       port-channel92 (6)TCP                0
10.50.2.8        100.1.20.4        34795   88        port-channel101 (6)TCP                8

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card