Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
2
Replies

TrustSec Monitor Mode

Go to solution
m.markocevic
Level 1
Level 1

‎02-13-2018 05:12 AM

As far as I understand, purpose of enabling monitoring mode is to identify behavior for Cisco TrustSec deployments.


It is hard to find out documentation about this topic. I have found report in ISE "RBACL Drop Summary" that uses Flexible NetFlow Export.


Is there configuration how this is done, what fields are necessary to be exported?

What is the best practice to deploy monitor mode and how to monitor and identify influence of the RBACL on the traffic?


BR Milan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎02-14-2018 09:03 AM

Hi,

reply sent via another route/email but pasting here as well for completeness:

There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.

So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.

As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.

So, it is not an ISE function which should be used.

Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).

Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:

a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.

b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.

There are some documents available talking about monitor mode:

https://communities.cisco.com/docs/DOC-68150

https://communities.cisco.com/docs/DOC-68151

Hope this has been useful, any further questions then please come back.

Cheers, Jonothan.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Craig Hyps
Level 10
Level 10

‎02-14-2018 07:01 AM

May I suggest posting TrustSec questions to the TrustSec Community?

TrustSec

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎02-14-2018 09:03 AM

Hi,

reply sent via another route/email but pasting here as well for completeness:

There’s a couple of topics here. One is monitoring flows in the network and the other is monitoring whether enforcement is effective.

So, for monitoring flows, yes, netflow is the key. Of course, we have Stealthwatch which will not only show IP flows (and provide de-dup, flow stitching, quarantine magic etc) but also SGT information as our switches export SGT’s in netflow.

As for monitoring enforcement, yes, we did have a function on ISE that was meant to display information on SGACL drops but it never worked well and actually only partially worked for the Cat6k.

So, it is not an ISE function which should be used.

Instead, any syslog server could receive syslog messages from hits on SGACL’s – this is how customers monitor enforcement actions (use ’log’ at the end of SGACL ACE’s).

Now, if you don’t want to initially enforce traffic but you want to test SGACLs, there are two options:

a) You simply use permits in your policy with the log keyword. No traffic will be dropped but you can monitor the hits via syslog.

b) Use permits and denies in your policy but provision them in ‘monitor mode’ which again, will not drop traffic but will allow for monitoring.

There are some documents available talking about monitor mode:

https://communities.cisco.com/docs/DOC-68150

https://communities.cisco.com/docs/DOC-68151

Hope this has been useful, any further questions then please come back.

Cheers, Jonothan.

0 Helpful
Customers Also Viewed These Support Documents