Trustsec query

ALAN MURRAY — Mon, 11 Mar 2019 04:10:29 GMT

Hi All,

I'm having trouble figuring out exactly what I need to do for my trustec solution. I have the following topology:-

ISE 1.2

Cisco 2960-X - 2 x Cisco 7004 (each has 3 vdc - dist, core and DC) - Cisco 5548

I have configured each vdc on all the 7004s as a seed devices (probably do not need that many). All devices have been configured on ISE.

I am running SXP between the 2960-X and the distribution vdc on the 7004 - that all seems fine as my SXP devices all show as connected.

My cts environment data appears to be correct in that I am seeing all my seed devices and my SGTs are being downloaded from ISE. The cts pac is also correct. I am seeing my SGACLs being downloaded from ISE as well.

The two problems I see are:-

Unless I manually configure the sgt-map on the 7004 I do not see the mappings. I'm obviously missing something configuration wise here but for all my trolling through trustsec documents I can't find what.

When I do a show cts role-based policy I see the source and destination groups being associated but I don't see the SGACL association - for example:-

sgt:7(Student_SG)

dgt:3(Test_SG) rbacl:Deny IP

deny ip

whereas I would expect to see this SGACL:-

rbacl:Test_SGACL

permit tcp dst eq 80

permit tcp dst eq 443

deny all

All the documentation I read seems to refer to having a 6500 switch as the next hop from the access layer whereas in my case it is a Nexus 7004 and the commands for the 6500 series do not all have an equivalent on the 7004.

Basically I need to know about enforcement on the 7004.

Does anyone know of any links I can look at to try and sort out what I need to do to complete this configuration?

Thanks

Alan

Re: Trustsec query

jkilleda — Fri, 23 Mar 2018 07:44:51 GMT

Hello Alan,

Trustsec query
Check if you have cisco secure ACS , dynamic ARP inspection or DHCP snooping available on you cisco NX-OS device .

topic Trustsec query in Network Access Control

Trustsec query

Re: Trustsec query