Meraki

RaphaelL · ‎Jul 29 2022

Hi ,

We are currently using Group Policy on our MS switch via RADIUS attribute ( https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying... )

Is it me or the L3 firewall from the GP is not triggering syslogs ?

Our security teams are concerned about the fact that there is no logs generated.

ww · ‎Jul 29 2022

I dont know the answer, but i would like to know 🙂

My assumtion here is that syslog only logs flows. But group policy and switch acl both uses stateless rules(like a acl). And therefore there will be no flow logging

RaphaelL · ‎Jul 29 2022

That actually make more sense than expected 😁

KarstenI · ‎Jul 29 2022

Another assumption: Switch ACLs don‘t log because sending the Logs is a Control/Mgmt-Plane action. The frame had to leave the HW switched data plane to send the logs.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

GIdenJoe · ‎Jul 30 2022

You'd be lucky if you at least have a screen that shows ACL hits on a switch.

Switches use ASIC's where statelessly forward frames so no CPU involvement.

You need CPU for logging.

If you really need logging you'll need to have this in your network design.

For example security between VLAN's that don't require logging can be routed on the core switch.

The rest need to be forwarded to a firewall.

In Cisco designs (not Meraki) you have multiple VRF's on your coreswitches and you can then have networks that need to pass an upstream firewall on different VRF's and then you don't need to stretch your layer 2 over your coreswitch which is in fact not the best design.

Meraki

Community

MS Group Policy - Syslogs

MS Group Policy - Syslogs