cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

590
Views
5
Helpful
6
Replies
Highlighted
Beginner

Cisco Trustsec Implmentation

Hi,

 

I would like to implement Cisco Trustsec on Catalyst 6500 Series Supervisor Engine 2T to control access between the PCI system and non PCI system in the same subnet/VLAN.

 

Question: Can you configure classfication/progatation/enforcement in a single device? 

 

Please refer to attached diagram.

 

Regards,

Eric

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

I don't have a 6500 to verify this configuration, but the following commands work on a CSR with Loopback interfaces. Note the ACL below is not a standard/extended ACL but rather a role-based ACL.

 

ip access-list role-based DENY
 deny ip

cts role-based sgt-map 192.168.1.10 sgt 10
cts role-based sgt-map 192.168.1.20 sgt 20
cts role-based sgt-map 192.168.1.30 sgt 30
cts role-based permissions from 10 to 20 DENY
cts role-based permissions from 10 to 30 DENY
cts role-based enforcement

 

Use the commands "show cts role-based counters" to verify hits increase for denies.

 

Any traffic not explictly denied is permitted.

 

I'd suggest obviously to test the commands in the lab before implementing in production.

View solution in original post

6 REPLIES 6
Highlighted
VIP Advisor

Hi Eric,

Yes, I don't see why not. As long as the 6500 has the IP to SGT bindings and an SGACL then yes you can enforce. You'd probably want to confirm you are running a validated firmware as per the trustsec matrix https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/platform-capability-matrix.pdf

 

HTH

Highlighted

Will you able to share the configuration please?

Highlighted

Are you planning to use ISE to propagate the SGT Mappings/SGACL or are you just going to statically define them on the switch?

Highlighted

Hi

 

I am planning to configure in switch statically 

Highlighted

I don't have a 6500 to verify this configuration, but the following commands work on a CSR with Loopback interfaces. Note the ACL below is not a standard/extended ACL but rather a role-based ACL.

 

ip access-list role-based DENY
 deny ip

cts role-based sgt-map 192.168.1.10 sgt 10
cts role-based sgt-map 192.168.1.20 sgt 20
cts role-based sgt-map 192.168.1.30 sgt 30
cts role-based permissions from 10 to 20 DENY
cts role-based permissions from 10 to 30 DENY
cts role-based enforcement

 

Use the commands "show cts role-based counters" to verify hits increase for denies.

 

Any traffic not explictly denied is permitted.

 

I'd suggest obviously to test the commands in the lab before implementing in production.

View solution in original post

Highlighted

Thanks. It works on 6506 too.

Content for Community-Ad