Hi All,

I'm having trouble figuring out exactly what I need to do for my trustec solution. I have the following topology:-

ISE 1.2

Cisco 2960-X - 2 x Cisco 7004 (each has 3 vdc - dist, core and DC) - Cisco 5548

I have configured each vdc on all the 7004s as a seed devices (probably do not need that many). All devices have been configured on ISE.

I am running SXP between the 2960-X and the distribution vdc on the 7004 - that all seems fine as my SXP devices all show as connected.

My cts environment data appears to be correct in that I am seeing all my seed devices and my SGTs are being downloaded from ISE. The cts pac is also correct. I am seeing my SGACLs being downloaded from ISE as well.

The two problems I see are:-

Unless I manually configure the sgt-map on the 7004 I do not see the mappings. I'm obviously missing something configuration wise here but for all my trolling through trustsec documents I can't find what.

When I do a show cts role-based policy I see the source and destination groups being associated but I don't see the SGACL association - for example:-

sgt:7(Student_SG)

dgt:3(Test_SG)  rbacl:Deny IP

        deny ip

whereas I would expect to see this SGACL:-

rbacl:Test_SGACL

        permit tcp dst eq 80

        permit tcp dst eq 443

        deny all

All the documentation I read seems to refer to having a 6500 switch as the next hop from the access layer whereas in my case it is a Nexus 7004 and the commands for the 6500 series do not all have an equivalent on the 7004.

Basically I need to know about enforcement on the 7004.

Does anyone know of any links I can look at to try and sort out what I need to do to complete this configuration?

Thanks

Alan