Solved: Re: Nexus 1000v trustsec enforcement.

Sylvain Tdsc · ‎11-16-2017

Hello,

I set up a lab with a nexus 1000v and Cisco ISE 2.3 and I would like to use trustsec to apply policies (RBACL) on the nexus 1000v to block or allow traffic between VMs.

My setup seems good, when I assign an SGACL in the matrix, I can see on the nexus 1000v that it is pushed but the enforcement doesn't seems to work.

here is a sample of my configuration :

!Command: show running-config port-profile VLAN102

version 5.2(1)SV3(2.8)

port-profile type vethernet VLAN102

switchport mode access

switchport access vlan 102

cts manual

policy static sgt 102 trusted

role-based enforcement

no shutdown

state enabled

vmware port-group

!Command: show running-config port-profile VLAN106

version 5.2(1)SV3(2.8)

port-profile type vethernet VLAN106

switchport mode access

switchport access vlan 106

cts manual

policy static sgt 106 trusted

role-based enforcement

no shutdown

state enabled

vmware port-group

and an example of RBACL pushed to the nexus 1000v and who is not working :

N1000V_PRI# sh cts role-based policy

sgt:102

dgt:106 rbacl:Deny_ALL

deny ip

Althought my Vlans 102 can still communicate with Vlan 106.

And if I check the counters I can see that all my traffic hit only the permit rule (which is the default rule) :

N1000V_PRI# sh cts role-based counters

RBACL policy counters enabled

Counters last cleared: Never

Counters last updated on 11/17/2017 at 03:49:07 AM:

rbacl:Deny_ALL

deny ip [0]

rbacl:Deny_ICMP

deny icmp [0]

permit ip [0]

rbacl:Permit IP

permit ip [1806]

Any ideas of what I did wrong or is there something I missed to activate enforcement on the Nexus 1000v ?

Thank you.

Sylvain Tdsc · ‎11-20-2017

I figured out what was the "problem" with a packets capture.

Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :

VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.

Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.

To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.

View solution in original post

hslai · ‎11-17-2017

Moved to TrustSec space.

jeaves@cisco.com · ‎11-17-2017

Check 'cts device tracking' is configured, 'show cts device tracking'.

Also see if your endpoints are tracked, for example:

Kernow-N1kv# show cts ipsgt entries

Interface SGT IP ADDRESS VRF/VLAN Learnt

-------------- ------ ------------ ---------- ---------

Vethernet2 11 10.10.6.20 vlan:60 Device Tracking

Vethernet3 14 10.10.6.21 vlan:60 Device Tracking

Vethernet4 19 10.10.5.22 vlan:50 Device Tracking

Sylvain Tdsc · ‎11-19-2017

Hello Jeaves,

Yes Device tracking is enabled and my VMs appears in the list :

N1000V_PRI# sh cts ipsgt entries

Interface SGT IP ADDRESS VRF/VLAN Learnt

-------------- ------ ------------------- ---------- ---------

Vethernet4 106 10.10.106.85 vlan:106 Device Tracking

Vethernet5 106

Vethernet6 106

Vethernet7 106

Vethernet8 106 10.10.106.50 vlan:106 Device Tracking

Vethernet9 102 10.10.102.6 vlan:102 Device Tracking

jeaves@cisco.com · ‎11-20-2017

I guess you must have the right license otherwise I don't think you would have got this far.

Advanced Services License is required.

I notice your port profile is configured with tags in decimal. As far as I know, these should be entered in hex as described here:

policy static sgt tag [trusted]: Configures a static authorization policy. The tag argument is a hexadecimal value in the format 0xhhhh. The range is from 0x2 to 0xffef. The trusted keyword indicates that traffic coming on the interface with this SGT should not have its tag overridden.

In your case:

cts manual

policy static sgt 0x66

cts manual

policy static sgt 0x6a

As you are connecting to hosts then the trusted attribute is not needed.

Sylvain Tdsc · ‎11-20-2017

I figured out what was the "problem" with a packets capture.

Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes :

VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106.

Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G.

To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.