I'm having trouble figuring out exactly what I need to do for my trustec solution. I have the following topology:-
Cisco 2960-X - 2 x Cisco 7004 (each has 3 vdc - dist, core and DC) - Cisco 5548
I have configured each vdc on all the 7004s as a seed devices (probably do not need that many). All devices have been configured on ISE.
I am running SXP between the 2960-X and the distribution vdc on the 7004 - that all seems fine as my SXP devices all show as connected.
My cts environment data appears to be correct in that I am seeing all my seed devices and my SGTs are being downloaded from ISE. The cts pac is also correct. I am seeing my SGACLs being downloaded from ISE as well.
The two problems I see are:-
Unless I manually configure the sgt-map on the 7004 I do not see the mappings. I'm obviously missing something configuration wise here but for all my trolling through trustsec documents I can't find what.
When I do a show cts role-based policy I see the source and destination groups being associated but I don't see the SGACL association - for example:-
dgt:3(Test_SG) rbacl:Deny IP
whereas I would expect to see this SGACL:-
permit tcp dst eq 80
permit tcp dst eq 443
All the documentation I read seems to refer to having a 6500 switch as the next hop from the access layer whereas in my case it is a Nexus 7004 and the commands for the 6500 series do not all have an equivalent on the 7004.
Basically I need to know about enforcement on the 7004.
Does anyone know of any links I can look at to try and sort out what I need to do to complete this configuration?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...