I figured out what was the "problem" with a packets capture. Inter-vlan routing is made with a 3750G in my lab, which mean that the communication between my two VMs goes : VM in VLAN102 > N1000v > 3750G > N1000v > VM in VLAN106. Since the 3750G doesn't support SGT InLine Tagging the Nexus 1000v has no clue about the SGT when the packet come from the 3750G. To conclude I can do enforcement between VMs that are in the same Vlan and connected to differents port-profiles with differents SGTs but if you want to do enforcement between VLANs with the nexus1000v, you have to add a Layer 3 device compatible with trustsec services.
... View more
Hello, I set up a lab with a nexus 1000v and Cisco ISE 2.3 and I would like to use trustsec to apply policies (RBACL) on the nexus 1000v to block or allow traffic between VMs. My setup seems good, when I assign an SGACL in the matrix, I can see on the nexus 1000v that it is pushed but the enforcement doesn't seems to work. here is a sample of my configuration : !Command: show running-config port-profile VLAN102 version 5.2(1)SV3(2.8) port-profile type vethernet VLAN102 switchport mode access switchport access vlan 102 cts manual policy static sgt 102 trusted role-based enforcement no shutdown state enabled vmware port-group !Command: show running-config port-profile VLAN106 version 5.2(1)SV3(2.8) port-profile type vethernet VLAN106 switchport mode access switchport access vlan 106 cts manual policy static sgt 106 trusted role-based enforcement no shutdown state enabled vmware port-group and an example of RBACL pushed to the nexus 1000v and who is not working : N1000V_PRI# sh cts role-based policy sgt:102 dgt:106 rbacl:Deny_ALL deny ip Althought my Vlans 102 can still communicate with Vlan 106. And if I check the counters I can see that all my traffic hit only the permit rule (which is the default rule) : N1000V_PRI# sh cts role-based counters RBACL policy counters enabled Counters last cleared: Never Counters last updated on 11/17/2017 at 03:49:07 AM: rbacl:Deny_ALL deny ip  rbacl:Deny_ICMP deny icmp  permit ip  rbacl:Permit IP permit ip  Any ideas of what I did wrong or is there something I missed to activate enforcement on the Nexus 1000v ? Thank you.
... View more