Hi All,
I'm having trouble figuring out exactly what I need to do for my trustec solution. I have the following topology:-
ISE 1.2
Cisco 2960-X - 2 x Cisco 7004 (each has 3 vdc - dist, core and DC) - Cisco 5548
I have configured each vdc on all the 7004s as a seed devices (probably do not need that many). All devices have been configured on ISE.
I am running SXP between the 2960-X and the distribution vdc on the 7004 - that all seems fine as my SXP devices all show as connected.
My cts environment data appears to be correct in that I am seeing all my seed devices and my SGTs are being downloaded from ISE. The cts pac is also correct. I am seeing my SGACLs being downloaded from ISE as well.
The two problems I see are:-
Unless I manually configure the sgt-map on the 7004 I do not see the mappings. I'm obviously missing something configuration wise here but for all my trolling through trustsec documents I can't find what.
When I do a show cts role-based policy I see the source and destination groups being associated but I don't see the SGACL association - for example:-
sgt:7(Student_SG)
dgt:3(Test_SG) rbacl:Deny IP
deny ip
whereas I would expect to see this SGACL:-
rbacl:Test_SGACL
permit tcp dst eq 80
permit tcp dst eq 443
deny all
All the documentation I read seems to refer to having a 6500 switch as the next hop from the access layer whereas in my case it is a Nexus 7004 and the commands for the 6500 series do not all have an equivalent on the 7004.
Basically I need to know about enforcement on the 7004.
Does anyone know of any links I can look at to try and sort out what I need to do to complete this configuration?
Thanks
Alan