Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trustsec query

  Hi All,

I'm having trouble figuring out exactly what I need to do for my trustec solution. I have the following topology:-

ISE 1.2

Cisco 2960-X - 2 x Cisco 7004 (each has 3 vdc - dist, core and DC) - Cisco 5548

I have configured each vdc on all the 7004s as a seed devices (probably do not need that many). All devices have been configured on ISE.

I am running SXP between the 2960-X and the distribution vdc on the 7004 - that all seems fine as my SXP devices all show as connected.

My cts environment data appears to be correct in that I am seeing all my seed devices and my SGTs are being downloaded from ISE. The cts pac is also correct. I am seeing my SGACLs being downloaded from ISE as well.

The two problems I see are:-

Unless I manually configure the sgt-map on the 7004 I do not see the mappings. I'm obviously missing something configuration wise here but for all my trolling through trustsec documents I can't find what.

When I do a show cts role-based policy I see the source and destination groups being associated but I don't see the SGACL association - for example:-


dgt:3(Test_SG)  rbacl:Deny IP

        deny ip

whereas I would expect to see this SGACL:-


        permit tcp dst eq 80

        permit tcp dst eq 443

        deny all

All the documentation I read seems to refer to having a 6500 switch as the next hop from the access layer whereas in my case it is a Nexus 7004 and the commands for the 6500 series do not all have an equivalent on the 7004.

Basically I need to know about enforcement on the 7004.

Does anyone know of any links I can look at to try and sort out what I need to do to complete this configuration?