11-16-2017 08:59 PM - edited 03-11-2019 01:10 AM
Hello,
I set up a lab with a nexus 1000v and Cisco ISE 2.3 and I would like to use trustsec to apply policies (RBACL) on the nexus 1000v to block or allow traffic between VMs.
My setup seems good, when I assign an SGACL in the matrix, I can see on the nexus 1000v that it is pushed but the enforcement doesn't seems to work.
here is a sample of my configuration :
!Command: show running-config port-profile VLAN102
version 5.2(1)SV3(2.8)
port-profile type vethernet VLAN102
switchport mode access
switchport access vlan 102
cts manual
policy static sgt 102 trusted
role-based enforcement
no shutdown
state enabled
vmware port-group
!Command: show running-config port-profile VLAN106
version 5.2(1)SV3(2.8)
port-profile type vethernet VLAN106
switchport mode access
switchport access vlan 106
cts manual
policy static sgt 106 trusted
role-based enforcement
no shutdown
state enabled
vmware port-group
and an example of RBACL pushed to the nexus 1000v and who is not working :
N1000V_PRI# sh cts role-based policy
sgt:102
dgt:106 rbacl:Deny_ALL
deny ip
Althought my Vlans 102 can still communicate with Vlan 106.
And if I check the counters I can see that all my traffic hit only the permit rule (which is the default rule) :
N1000V_PRI# sh cts role-based counters
RBACL policy counters enabled
Counters last cleared: Never
Counters last updated on 11/17/2017 at 03:49:07 AM:
rbacl:Deny_ALL
deny ip [0]
rbacl:Deny_ICMP
deny icmp [0]
permit ip [0]
rbacl:Permit IP
permit ip [1806]
Any ideas of what I did wrong or is there something I missed to activate enforcement on the Nexus 1000v ?
Thank you.
Solved! Go to Solution.
11-20-2017 03:42 PM
I figured out what was the "problem" with a packets capture.
Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :
VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.
Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.
To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.
11-17-2017 08:30 AM
Moved to TrustSec space.
11-17-2017 08:40 AM
Check 'cts device tracking' is configured, 'show cts device tracking'.
Also see if your endpoints are tracked, for example:
Kernow-N1kv# show cts ipsgt entries
Interface SGT IP ADDRESS VRF/VLAN Learnt
-------------- ------ ------------ ---------- ---------
Vethernet2 11 10.10.6.20 vlan:60 Device Tracking
Vethernet3 14 10.10.6.21 vlan:60 Device Tracking
Vethernet4 19 10.10.5.22 vlan:50 Device Tracking
11-19-2017 01:35 PM
Hello Jeaves,
Yes Device tracking is enabled and my VMs appears in the list :
N1000V_PRI# sh cts ipsgt entries
Interface SGT IP ADDRESS VRF/VLAN Learnt
-------------- ------ ------------------- ---------- ---------
Vethernet4 106 10.10.106.85 vlan:106 Device Tracking
Vethernet5 106
Vethernet6 106
Vethernet7 106
Vethernet8 106 10.10.106.50 vlan:106 Device Tracking
Vethernet9 102 10.10.102.6 vlan:102 Device Tracking
11-20-2017 02:15 AM
I guess you must have the right license otherwise I don't think you would have got this far.
Advanced Services License is required.
I notice your port profile is configured with tags in decimal. As far as I know, these should be entered in hex as described here:
policy static sgt tag [trusted]: Configures a static authorization policy. The tag argument is a hexadecimal value in the format 0xhhhh. The range is from 0x2 to 0xffef. The trusted keyword indicates that traffic coming on the interface with this SGT should not have its tag overridden.
In your case:
cts manual
policy static sgt 0x66
cts manual
policy static sgt 0x6a
As you are connecting to hosts then the trusted attribute is not needed.
11-20-2017 03:42 PM
I figured out what was the "problem" with a packets capture.
Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :
VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.
Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.
To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide