cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

441
Views
0
Helpful
5
Replies
Highlighted
Beginner

Nexus 1000v trustsec enforcement.

Hello,

I set up a lab with a nexus 1000v and Cisco ISE 2.3 and I would like to use trustsec to apply policies (RBACL) on the nexus 1000v to block or allow traffic between VMs.

My setup seems good, when I assign an SGACL in the matrix, I can see on the nexus 1000v that it is pushed but the enforcement doesn't seems to work.


here is a sample of my configuration :


!Command: show running-config port-profile VLAN102

version 5.2(1)SV3(2.8)

port-profile type vethernet VLAN102

  switchport mode access

  switchport access vlan 102

  cts manual

    policy static sgt 102 trusted

    role-based enforcement

  no shutdown

  state enabled

  vmware port-group

!Command: show running-config port-profile VLAN106

version 5.2(1)SV3(2.8)

port-profile type vethernet VLAN106

  switchport mode access

  switchport access vlan 106

  cts manual

    policy static sgt 106 trusted

    role-based enforcement

  no shutdown

  state enabled

  vmware port-group

and an example of RBACL pushed to the nexus 1000v and who is not working :


N1000V_PRI# sh cts role-based policy

sgt:102

dgt:106 rbacl:Deny_ALL

        deny ip

Althought my Vlans 102 can still communicate with Vlan 106.

And if I check the counters I can see that all my traffic hit only the permit rule (which is the default rule) :

N1000V_PRI# sh cts role-based counters

RBACL policy counters enabled

Counters last cleared: Never

Counters last updated on 11/17/2017 at 03:49:07 AM:

rbacl:Deny_ALL

        deny ip                                         [0]

rbacl:Deny_ICMP

        deny icmp                                       [0]

        permit ip                                       [0]

rbacl:Permit IP

        permit ip                                       [1806]

Any ideas of what I did wrong or is there something I missed to activate enforcement on the Nexus 1000v ?

Thank you.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Nexus 1000v trustsec enforcement.

I figured out what was the "problem" with a packets capture.

Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :

VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.

Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.

To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.

View solution in original post

5 REPLIES 5
Cisco Employee

Re: Nexus 1000v trustsec enforcement.

Moved to TrustSec space.

Cisco Employee

Re: Nexus 1000v trustsec enforcement.

Check 'cts device tracking' is configured, 'show cts device tracking'.

Also see if your endpoints are tracked, for example:

Kernow-N1kv# show cts ipsgt entries

Interface       SGT      IP ADDRESS   VRF/VLAN      Learnt

--------------  ------   ------------ ----------    ---------

Vethernet2      11       10.10.6.20   vlan:60       Device Tracking

Vethernet3      14       10.10.6.21   vlan:60       Device Tracking

Vethernet4      19       10.10.5.22   vlan:50       Device Tracking

Beginner

Re: Nexus 1000v trustsec enforcement.

Hello Jeaves,

Yes Device tracking is enabled and my VMs appears in the list :

N1000V_PRI# sh cts ipsgt entries

Interface       SGT      IP ADDRESS          VRF/VLAN      Learnt

--------------  ------   ------------------- ----------    ---------

Vethernet4      106      10.10.106.85        vlan:106      Device Tracking

Vethernet5      106

Vethernet6      106

Vethernet7      106

Vethernet8      106      10.10.106.50        vlan:106      Device Tracking

Vethernet9      102      10.10.102.6         vlan:102      Device Tracking

Cisco Employee

Re: Nexus 1000v trustsec enforcement.

I guess you must have the right license otherwise I don't think you would have got this far.

Advanced Services License is required.

I notice your port profile is configured with tags in decimal. As far as I know, these should be entered in hex as described here:

policy static sgt tag [trusted]: Configures a static authorization policy. The tag argument is a hexadecimal value in the format 0xhhhh. The range is from 0x2 to 0xffef. The trusted keyword indicates that traffic coming on the interface with this SGT should not have its tag overridden.

In your case:

  cts manual

    policy static sgt 0x66

  cts manual

    policy static sgt 0x6a

As you are connecting to hosts then the trusted attribute is not needed.

Beginner

Re: Nexus 1000v trustsec enforcement.

I figured out what was the "problem" with a packets capture.

Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :

VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.

Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.

To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.

View solution in original post