02-13-2018 05:12 AM
As far as I understand, purpose of enabling monitoring mode is to identify behavior for Cisco TrustSec deployments.
It is hard to find out documentation about this topic. I have found report in ISE "RBACL Drop Summary" that uses Flexible NetFlow Export.
Is there configuration how this is done, what fields are necessary to be exported?
What is the best practice to deploy monitor mode and how to monitor and identify influence of the RBACL on the traffic?
BR Milan
Solved! Go to Solution.
02-14-2018 09:03 AM
Hi,
reply sent via another route/email but pasting here as well for completeness:
There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.
So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.
As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.
So, it is not an ISE function which should be used.
Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).
Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:
a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.
b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.
There are some documents available talking about monitor mode:
https://communities.cisco.com/docs/DOC-68150
https://communities.cisco.com/docs/DOC-68151
Hope this has been useful, any further questions then please come back.
Cheers, Jonothan.
02-14-2018 07:01 AM
May I suggest posting TrustSec questions to the TrustSec Community?
02-14-2018 09:03 AM
Hi,
reply sent via another route/email but pasting here as well for completeness:
There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.
So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.
As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.
So, it is not an ISE function which should be used.
Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).
Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:
a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.
b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.
There are some documents available talking about monitor mode:
https://communities.cisco.com/docs/DOC-68150
https://communities.cisco.com/docs/DOC-68151
Hope this has been useful, any further questions then please come back.
Cheers, Jonothan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide