Nexus 1000v TrustSec Configuration

In this blog post, I'm going to actually configure the Nexus 1000v for TrustSec. I'm going to walk through configuring the SXP connection, downloading the environmental data, and then assigning SGTs to devices.

Note: For the Nexus 1000v, it requires the Advanced Services license in order to enable the 802.1x. TrustSec and SXP features.

Before configuring the Nexus 1000v, navigate to Administration>Network Resources>Network Devices and click on the Nexus 1000v if you've already created it or create it now. Check the box next to Advanced TrustSec Settings and fill in the following:

In the above configuration, use the Device ID for TrustSec identification, configure a password, and check the box that other TrustSec devices will trust this device.

On the Nexus 1000v, configure the follow:

svs switch edition advanced - Enables the advanced license
feature dot1x- Enables 802.1x feature
feature cts - Enables Cisco TrustSec feature
feature dhcp - Enable the DHCP feature

Next we will configure some CTS-specific commands:
cts enable - This should already be enabled by default after you turn on the feature but if it isn't, enter this command
ip dhcp snooping - Enable DHCP snooping for CTS device tracking
ip dhcp snooping vlan 100 - Enable DHCP on the VLANs
cts device-id NX-Sw1 password networknode - This configures a unique device ID and password. It should match what's in ISE
cts sxp enable - Enables SXP feature
cts device tracking - Enables device tracking on TrustSec. It'll track the IP addresses from ARP/IP traffic inspection on the VEMs and from DHCP snooping.
cts sxp default password networknode - Configures the SXP default password
cts sxp default source-ip 10.1.100.4 - Configures the mgmt0 interface as the SXP default source IPv4 address
cts sxp retry-period 60 - Specifies SXP retry timer period
cts interface delete-hold 60 - Specifies the delete hold timer period for an interface. Default is 60 seconds.
cts sxp connection peer 10.1.100.21 source 10.100.4 password default mode listener vrf management - Configures the SXP address connection.
radius-server host 10.1.100.21 key networknode pac authentication accounting - Configures RADIUS server host with key and PAC
aaa group server radius ISE - Specifies RADIUS server group and enters RADIUS group config mode
server 10.1.100.21 -Specify the RADIUS (ISE) server
use-vrf management - Specifies the management VRF instance for the AAA server group
aaa authorization cts default group ISE - Specifies RADIUS server groups to use for Cisco TrustSec authorization
aaa accounting default group ISE - Specifies RADIUS server groups for accounting

Next we will configure the static STG bindings on the port-profiles:

port-profile Proxy
cts manual
policy static sgt 0x8
no propagate-sgt

port-profile ADISE
cts manual
policy static sgt 0x7
no propagate-sgt

port-profile NetworkServices
cts manual
policy static sgt 0x3
no propagate-sgt

port-profile Infrastructure
cts manual
policy static sgt 0x2
no propagate-sgt

port-profile ProductionServer
cts manual
policy static sgt 0xB
no propagate-sgt

port-profile SecurityServer
cts manual
policy static sgt 0x5
no propagate-sgt

Now we're going to configure TrustSec enforcement:

cts role-based counters enable - Enable RBACL statistics

port-profile Proxy
cts manual
role-based enforcement

port-profile ADISE
cts manual
role-based enforcement

port-profile NetworkServices
cts manual
role-based enforcement

port-profile Infrastructure
cts manual
role-based enforcement

port-profile ProductionServer
cts manual
role-based enforcement

port-profile SecurityServer
cts manual
role-based enforcement

Now that we've configured the Nexus 1000v for TrustSec, applied tags to the port-profiles, and started enforcing the policy, let's verify that it's working.

show cts role-based policy