Cisco Nexus 1000V Security Configuration Guide, Release 4.2(1)SV2(2.1)
Configuring Cisco TrustSec
Downloads: This chapterpdf (PDF - 1.56MB) The complete bookPDF (PDF - 5.57MB) | The complete bookePub (ePub - 1.44MB) | Feedback

Contents

Configuring Cisco TrustSec

This chapter contains the following sections:

Information About Cisco TrustSec

Cisco TrustSec Architecture

The Cisco TrustSec security architecture enables you to build secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms.

Cisco TrustSec uses the device and user identification information that is acquired during authentication for classifying or tagging the packets as they enter the network. These packets are tagged on ingress to the Cisco TrustSec network so that they can be identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.


Note


Ingress refers to when a packet enters the first Cisco TrustSec-capable device on its path to the destination and egress refers to when a packet leaves the last Cisco TrustSec-capable device on the path.


This figure shows an example of a Cisco TrustSec cloud.

Figure 1. Cisco TrustSec Network Cloud Example

The Cisco TrustSec architecture consists of the following major components:

  • Authentication—Verifies the identity of each device before allowing them to join the Cisco TrustSec network.
  • Authorization—Decides the level of access to the Cisco TrustSec network resources that is based on the authenticated identity of the device.
  • Access control—Applies access policies on a per-packet basis using the source tags on each packet.
  • Secure communication—Provides encryption, integrity, and data-path replay protection for the packets that flow over each link in the Cisco TrustSec network.

SGACLs and SGTs

In security group access lists (SGACLs), you can control the operations that users can perform based on assigned security groups. The grouping of permissions into a role simplifies the management of the security policy. As you add users to the Cisco NX-OS device, you assign one or more security groups and they immediately receive the appropriate permissions. You can modify security groups to introduce new privileges or restrict current permissions.

Cisco TrustSec assigns a unique 16-bit tag, called the security group tag (SGT), to a security group. The number of SGTs in the Cisco NX-OS device is limited to the number of authenticated network entities. The SGT is a single label that indicates the privileges of the source within the entire enterprise. Its scope is global within a Cisco TrustSec network.

The management server derives the SGTs based on the security policy configuration. You do not have to configure them manually.

Once authenticated, Cisco TrustSec tags any packet that originates from a device with the SGT that represents the security group to which the device is assigned. The packet carries this SGT throughout the network within the Cisco TrustSec header. Because this tag represents the group of the source, the tag is referred to as the source SGT. At the egress edge of the network, Cisco TrustSec determines the group that is assigned to the packet destination device and applies the access control policy.

Cisco TrustSec defines access control policies between the security groups. By assigning devices within the network to security groups and applying access control between and within the security groups, Cisco TrustSec achieves access control within the network. The following figure shows an example of an SGACL policy.

Figure 2. SGACL Policy Example

This following figure shows how the SGT assignment and the SGACL enforcement operate in a Cisco TrustSec network.

Figure 3. SGT and SGACL in Cisco TrustSec Network

The Cisco NX-OS device defines Cisco TrustSec access control policy for a group of devices as opposed to IP addresses in traditional ACLs. With such a decoupling, the network devices are free to move throughout the network and change IP addresses. Entire network topologies can change. As long as the roles and the permissions remain the same, changes to the network do not change the security policy. Cisco TrustSec greatly reduces size of ACLs and simplifies their maintenance.

In traditional IP networks, the number of access control entries (ACEs) configured is determined as follows:

The number of ACEs = (The number of sources specified) X (The number of destinations specified) X (The number of permissions specified)

Cisco TrustSec uses the following formula:

The number of ACEs = The number of permissions specified

Determining the Source Security Group

A network device at the ingress of the Cisco TrustSec cloud needs to determine the SGT of the packet that enters the Cisco TrustSec cloud so that it can tag the packet with that SGT when it forwards it into the Cisco TrustSec cloud. The egress network device needs to determine the SGT of the packet so that it can apply the SGACLs.

The network device can determine the SGT for a packet in one of the following methods:

  • Obtain the source SGT during policy acquisition—After the Cisco TrustSec authentication phase, a network device acquires a policy from an authentication server. The authentication server indicates whether the peer device is trusted or not. If a peer device is not trusted, the authentication server can also provide an SGT to apply to all packets that come from the peer device.
  • Obtain the source SGT field from the Cisco TrustSec header—If a packet comes from a trusted peer device, the Cisco TrustSec header carries the correct SGT field if the network device is not the first network device in the Cisco TrustSec cloud for the packet.
  • Look up the source SGT based on the source IP address—In some cases, you can manually configure the policy to decide the SGT of a packet that is based on the source IP address. The SGT Exchange Protocol (SXP) can also populate the IP-address-to-SGT mapping table.

SXP for SGT Propagation on the Cisco Nexus 1000V

You can use SXP to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. The SXP protocol is used to propagate the IP addresses of virtual machines and their corresponding SGTs up to the upstream Cisco TrustSec-capable switches. On the egress side, the enforcement of the Role Based Access Control (RBACL) takes place at the egress interface on the Cisco TrustSec-capable distribution switch.

The SXP for SGT propagation involves the following steps:

  • Setting up SXP connection—You must configure each peer on the SXP connection as either an SXP speaker or an SXP listener. The speaker device distributes the SXP information (IP-SGT mappings) to the listener device. For Cisco TrustSec on the Cisco Nexus 1000V, the Cisco Nexus 1000V is configured as the SXP speaker in all peer connections.
  • Tracking and obtaining IP-SGT mapping—You must manually assign a SGT to a Virtual Machine. The SGT configurations are assigned to a port profile or to a virtual Ethernet interface. When you bring up a Virtual Machine, the SGT configurations that are assigned to the port profile are associated with the Virtual Machine. You must configure IP device tracking and DHCP snooping so that the Cisco Nexus 1000V can track the IP addresses that are assigned to the ports. If you configure both IP device tracking and DHCP snooping, the information that is learned through both the sources is used to obtain the IP addresses of all the interfaces.
  • Communicating IP-SGT mapping through SXP—On the SXP platform, the IP-SGT mapping is stored in the SXP local database and is distributed to SXP listeners through SXP. For any new IP-SGT mappings, the Cisco Nexus 1000V checks the local database for new IP-SGT mappings or duplicates. The changes are then communicated to the upstream SXP listeners through SXP.

Setting up an SXP connection manually requires that you do the following:

  • If you require SXP data integrity and authentication, you must configure both the same SXP password on both peer devices. You can configure the SXP password either explicitly for each peer connection or globally for the device. The SXP password is not required.
  • You must configure each peer on the SXP connection as either an SXP speaker or an SXP listener. The speaker device distributes the SXP information to the listener device.
  • You can specify a source IP address to use for each peer relationship or you can configure a default source IP address for peer connections where you have not configured a specific source IP address.

Licensing Requirements for Cisco TrustSec

The following table shows the licensing requirements for this feature:

Feature License Requirement

Cisco TrustSec

This feature requires an Advanced License. See the Cisco Nexus 1000V License Configuration Guide for more information on the licensing requirements for Cisco Nexus 1000V.

Prerequisites for Cisco TrustSec

  • You must enable the Cisco TrustSec feature.
  • You must enable the Cisco TrustSec SXP.
  • You must install the Advanced Services license.

Guidelines and Limitations for Cisco TrustSec

  • Cisco TrustSec supports IPv4 addressing only.
  • The Cisco Nexus 1000V Virtual Supervisor Module (VSM) is always configured as the SXP speaker in all peer connections.
  • To assign an SGT to a Virtual Machine, you must manually configure SGT interactions in the port profile or vEthernet interface. This feature is not supported on a management interface or an Ethernet interface.
  • A maximum of 2048 IP-SGT mappings can be learned system-wide in the DVS. This total is for both entries learned through DHCP snooping and device tracking of individual VMs by ARP as well as IP traffic inspection.
  • The IP-SGT mappings can be communicated to up to 64 SXP peer devices.

Default Settings

Table 1 Default Cisco TrustSec Settings

Parameters

Default

Cisco TrustSec

Disabled

SXP

Disabled

SXP default password

None

SXP reconcile period

120 seconds

SXP retry period

60 seconds

Device Tracking

Enabled

Interface delete hold timer

60 seconds

Configuring Cisco TrustSec

Enabling the Cisco TrustSec Feature

You must enable the Cisco TrustSec feature on the Cisco Nexus 1000V before you can configure Cisco TrustSec.

Before You Begin
  • Log in to the CLI in EXEC mode.
  • Ensure that you have installed the Advanced Services license.
Procedure
      Command or Action Purpose
    Step 1 switch# configure terminal  

    Enters global configuration mode.

     
    Step 2 switch(config)# [no] feature cts  

    Enables (or disables when you use the no form) the Cisco TrustSec feature.

     
    Step 3 switch(config)# show cts   (Optional)

    Displays the Cisco TrustSec configuration.

     
    Step 4 switch(config)# show feature   (Optional)

    Displays the enabled status for features.

     
    Step 5 copy running-config startup-config
     
    (Optional)

    Copies the running configuration to the startup configuration.

     

    This example shows how to enable the Cisco TrustSec feature:

    switch# configure terminal
    switch(config)# feature cts
    switch(config)# show cts
    CTS Global Configuration
    ==============================
    CTS support : enabled
    CTS device identity : not configured
    SGT : 0
    CTS caching support : disabled
    
    Number of CTS interfaces in 
    DOT1X mode : 0
    Manual mode : 0
    switch(config)#
    
    switch(config)# show feature
    Feature Name Instance State 
    -------------------- -------- --------
    cts 1 enabled 
    dhcp-snooping 1 enabled 
    http-server 1 enabled 
    lacp 1 disabled
    netflow 1 disabled
    network-segmentation 1 disabled
    port-profile-roles 1 disabled
    private-vlan 1 disabled
    segmentation 1 disabled
    sshServer 1 enabled 
    tacacs 1 disabled
    telnetServer 1 enabled 
    vtracker 1 disabled
    switch(config)#
    

    Enabling Cisco TrustSec SXP

    You can enable the Cisco TrustSec SXP on the Cisco Nexus 1000V.

    Before You Begin
    • Log in to the CLI in EXEC mode.
    • You must enable the Cisco TrustSec feature.
    • You must install the Advanced Services license.
    Procedure
        Command or Action Purpose
      Step 1 switch# configure terminal 

      Enters global configuration mode.

       
      Step 2 switch(config)# [no] cts sxp enable 

      Enables (or disables when you use the no form) the Cisco TrustSec SXP feature. The default is disabled.

       
      Step 3 switch(config)# show cts sxp  (Optional)

      Displays the Cisco TrustSec SXP configuration.

       
      Step 4 switch(config)# copy running-config startup-config  (Optional)

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

       

      This example shows how to enable the Cisco TrustSec SXP:

      switch# configure terminal
      switch(config)# cts sxp enable
      switch(config)# show cts sxp
      CTS SXP Configuration:
      SXP enabled
      SXP default password configured
      SXP retry timeout:60
      SXP reconcile timeout:120
      Minimum SXP Version: 1
      Maximum SXP Version:1
      switch(config)# 
      

      Configuring Cisco TrustSec Device Tracking

      You can configure device tracking to enable learning of IP address of Virtual Machines by inspecting the Address Resolution Protocol (ARP) and IP traffic on virtual Ethernet ports.

      Before You Begin
      • Log in to the CLI in EXEC mode.
      • You must enable the Cisco TrustSec SXP.
      • You must enable the Cisco TrustSec feature.
      • You must install the Advanced Services license.
      Procedure
          Command or Action Purpose
        Step 1 switch# configure terminal 

        Enters global configuration mode.

         
        Step 2 switch(config)# cts device tracking  

        Enables the device tracking on Cisco TrustSec.

        Note   

        The Cisco Nexus 1000V supports tracking of IP addresses from the ARP/IP traffic inspection on the VEMs and from DHCP snooping. Cisco TrustSec device tracking tracks IP addresses using the ARP/IP traffic inspection on the VEMs. To enable the Cisco TrustSec device tracking to track IP addresses from the DHCP snooping, you must also enable the DHCP snooping feature.

        By default, device tracking is enabled.

         
        Step 3 switch(config)# show cts device tracking   (Optional)

        Displays Cisco TrustSec device tracking configuration.

         
        Step 4 switch(config)# copy running-config startup-config  (Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        This example shows how to configure Cisco TrustSec device tracking:

        switch# configure terminal
        switch(config)# cts device tracking
        enabled
        switch(config)# 
        

        Configuring a Default SXP Password

        By default, SXP uses no password when setting up connections. You can configure a default SXP password for the Cisco NX-OS device.

        Before You Begin
        • Log in to the CLI in EXEC mode.
        • You must enable the Cisco TrustSec SXP.
        • You must enable the Cisco TrustSec feature.
        • You must install the Advanced Services license.
        Procedure
            Command or Action Purpose
          Step 1 switch# configure terminal 

          Enters global configuration mode.

           
          Step 2 switch(config)# cts sxp default password [word | 7] password  

          Configures the SXP default password using the following options:

          • word—Specifies unencrypted default password.
          • 7—Specifies encrypted default password.

          By default, no SXP password will be used.

           
          Step 3 switch(config)# show cts sxp   (Optional)

          Displays the SXP configuration.

           
          Step 4 switch(config)# show running-config cts   (Optional)

          Displays the running configuration for Cisco TrustSec.

           
          Step 5 switch(config)# copy running-config startup-config  (Optional)

          Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

           

          This example shows how to configure the default SXP password:

          switch# configure terminal
          switch(config)# cts sxp default password 7 CiscoPassword
          switch(config)# cts cts sxp
          CTS SXP Configuration:
          SXP enabled
          SXP default password configured
          SXP retry timeout:60
          SXP reconcile timeout:120
          Minimum SXP Version: 1
          Maximum SXP Version:1
          

          Configuring a Default SXP Source IPv4 Address

          The Cisco NX-OS software uses the default source IPv4 address in all new TCP connections where a source IPv4 address is not specified. There is no effect on existing TCP connections when you configure the default SXP source IPv4 address.

          Before You Begin
          • Log in to the CLI in EXEC mode.
          • You must enable the Cisco TrustSec SXP.
          • You must enable the Cisco TrustSec feature.
          • You must install the Advanced Services license.
          Procedure
              Command or Action Purpose
            Step 1 switch# configure terminal 

            Enters global configuration mode.

             
            Step 2 switch(config)# cts sxp default password password  

            Configures the SXP default password.

             
            Step 3 switch(config)# cts sxp default source-ip src-ip-addr  

            Configures the SXP default source IPv4 address.

             
            Step 4 switch(config)# show cts sxp   (Optional)

            Displays the SXP configuration.

             
            Step 5 switch(config)# copy running-config startup-config  (Optional)

            Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

             

            This example shows how to configure the default SXP source IPv4 address:

            switch# configure terminal
            switch# cts sxp default password xyzexy
            switch(config)# cts sxp default source-ip 10.78.1.73
            switch(config)# show cts sxp
            CTS SXP Configuration:
            SXP enabled
            SXP default password configured
            Default Source IP Address:10.78.1.73
            SXP retry timeout:60
            SXP reconcile timeout:120
            Minimum SXP Version: 1
            Maximum SXP Version:1
            switch(config)# 
            

            Configuring Cisco TrustSec SGTs in a Port Profile

            You can configure unique Cisco TrustSec security group tags (SGTs) as part of a port profile configuration or a vEthernet interface. The SGT is then associated with all the Virtual Machines that inherit the port profile.

            Before You Begin
            • Log in to the CLI in EXEC mode.
            • You must enable the Cisco TrustSec SXP.
            • You must enable the Cisco TrustSec feature.
            • You must install the Advanced Services license.
            Procedure
                Command or Action Purpose
              Step 1 switch# configure terminal 

              Enters global configuration mode.

               
              Step 2 switch(config)# port-profile name  

              Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created.

               
              Step 3 switch(config-port-prof)# cts sgt tag  

              Configures the SGT for packets sent from the device. The tag argument is a local SGT for the device that is a hexadecimal value with the format 0xhhhh. The range is from 1 to 65519.

               
              Step 4 switch(config-port-prof)# show cts sxp sgt-map   (Optional)

              Displays the mapping of the IP address to SGT for Cisco TrustSec.

               
              Step 5 switch(config-port-prof)# show running-configuration port-profile name   (Optional)

              Displays a port-profile configuration.

               
              Step 6 switch(config)# copy running-config startup-config  (Optional)

              Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

               

              This example shows how to configure Cisco TrustSec SGT as part of a port profile configuration:

              switch# configure terminal
              switch(config)# port-profile kumar
              switch(config-port-prof)# cts sgt 6766
              switch(config-port-prof)# show cts sxp sgt-map
              switch(config-port-prof)# show running-config port-profile kumar
              !Command: show running-config port-profile kumar
              !Time: Wed Sep 26 22:58:16 2012
              version 4.2(1)SV2(1.1)
              port-profile type vethernet kumar
              vmware port-group
              switchport mode access
              switchport access vlan 353
              cts sgt 6766
              no shutdown
              system vlan 353
              state enabled
              switch(config-port-prof)# 
              
              

              This example shows how to configure Cisco TrustSec SGT on a vEthernet interface:

              switch# configure terminal
              switch(config)# port-profile kumar
              switch(config-port-prof)# capability l3control
              switch(config-port-prof)# vmware port-group
              switch(config-port-prof)# switchport mode access
              switch(config-port-prof)# switchport access vlan 353
              switch(config-port-prof)# cts sgt 6766
              switch(config-port-prof)# no shutdown
              switch(config-port-prof)# system vlan 353
              switch(config-port-prof)# state enabled
              switch(config-port-prof)# show running-config interface vethernet 1
              !Command: show running-config interface Vethernet1
              !Time: Wed Sep 26 22:59:39 2012
              version 4.2(1)SV2(1.1)
              interface Vethernet1
              inherit port-profile kumar
              description VMware VMkernel, vmk1
              vmware dvport 65 dvswitch uuid "c1 0c 33 50 36 73 e3 9b-26 5f db 02 b3 79 cc b8"
              vmware vm mac 0050.5665.7F77
              cts sgt 888
              switch(config)# 
              

              Configuring Cisco TrustSec SXP Peer Connections

              You must configure the SXP peer connection on both the speaker and the listener devices. When you are using password protection, make sure to use the same password on both the devices.


              Note


              If the default SXP source IP address is not configured and you do not specify the SXP source address in the connection, the Cisco NX-OS software derives the SXP source IP address from existing local IP addresses. The SXP source address can be different for each TCP connection that is initiated from the Cisco NX-OS device.



              Note


              The Cisco Nexus 1000Vsupports SXP speaker mode only. Therefore, you must configure any SXP peer as a listener.


              Before You Begin
              • Log in to the CLI in EXEC mode.
              • You must enable the Cisco TrustSec SXP.
              • You must enable the Cisco TrustSec feature.
              • You must install the Advanced Services license.
              Procedure
                  Command or Action Purpose
                Step 1 switch# configure terminal 

                Enters global configuration mode.

                 
                Step 2 switch(config)# [no] cts sxp connection peer peer-ip-address source source-ip-address] password {[default] | [none [required] password} [mode {listener} [vrf {default | management}] 

                Configures the SXP address connection.

                • Source—Specifies the IPV4 address of the source. The default source is the IPv4 address that you configured using the cts sxp default source-ip command.
                • Password—Specifies the password that SXP should use for the connection using the following options:
                  • Default—Uses the default SXP password that you configured using the cts sxp default password command.
                  • None—Does not use a password.
                  • Required—Uses the password specified in the command.
                • Mode—Specifies the role of the remote peer device. Because the Cisco Nexus 1000V can only act as the speaker in the connection, you must configure the peer as the listener.
                • The vrf keyword specifies the Virtual Routing and Forwarding (VRF) to the peer. The default is the default VRF instance.
                 
                Step 3 switch(config)# show cts sxp connection   (Optional)

                Displays the SXP connections and their status.

                 
                Step 4 switch(config)# copy running-config startup-config  (Optional)

                Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                 

                This example shows how to configure Cisco TrustSec peer connections:

                switch# configure terminal
                switch(config)#  cts sxp connection peer 1.2.3.4 password none mode listener vrf management
                switch(config)# show cts sxp connection
                

                Configuring Static IP-SGT Bindings

                You can define a static binding between an IP host address to a security group tag (SGT). The static IP-SGT bindings are configured in a context of a VRF and are applied to the default VRF. The static IP-SGT bindings take precedence over dynamic bindings from sources such as SXP or locally authenticated hosts. A static IP-SGT bindings is exported to SXP peers if it is the only binding that is known for the given host IP address. Because the static IP-SGT bindings are configured in a context of a VRF, the static IP-SGT bindings must be configured in the same VRF in order to be exported to SXP peers.

                Before You Begin
                • Log in to the CLI in EXEC mode.
                • You must enable the Cisco TrustSec SXP.
                • You must enable the Cisco TrustSec feature.
                • You must install the Advanced Services license.
                Procedure
                    Command or Action Purpose
                  Step 1 switch# configure terminal 

                  Enters global configuration mode.

                   
                  Step 2 switch(config)# cts role-based sgt-map ip-address sgt sgt  

                  Configures the static binding between an IP host address to a security group tag (SGT).

                  • ip-address—IP address of the host.
                  • sgt—SGT corresponding to the IP address. The range is from 1 to 65519.
                   
                  Step 3 switch(config)# vrf context   (Optional)

                  Specifies the IP-SGT bindings in a VRF context. The default is the default VRF.

                   
                  Step 4 switch(config)# show cts role-based sgt-map   (Optional)

                  Displays the mapping of the IP address to SGT for Cisco TrustSec.

                   
                  Step 5 switch(config)# show cts ipsgt entries   (Optional)

                  Displays SXP SGT entries.

                   
                  Step 6 switch(config)# copy running-config startup-config  (Optional)

                  Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                   

                  This example shows how to configure static IP-SGT bindings:

                  switch# configure terminal
                  switch(config)# cts role-based sgt-map 1.1.1.1 100
                  switch(config)# vrf context management
                  switch(config-vrf)# cts role-based sgt-map 2.2.2.3 200
                  switch(config-vrf)# exit
                  switch(config)# show cts role-based sgt-map
                  IP ADDRESS SGT VRF/VLAN SGT CONFIGURATION
                  1.1.1.1 100 vrf:1 CLI Configured
                  2.2.2.3 200 vrf:2 CLI Configured
                  cinquedia(config)# show cts ipsgt entries 
                  Interface SGT IP ADDRESS VRF Learnt
                  -------------- ------ ---------------- ---------- ---------
                  - 100 1.1.1.1 default Cli Configured 
                  - 200 2.2.2.3 management Cli Configured 
                  
                  switch(config)# show cts ipsgt entries vrf management
                  Interface SGT IP ADDRESS Pushed Learnt
                  -------------- ------ ---------------- ---------- ---------
                  Vethernet1 888 10.10.101.10 Yes DHCP
                  10.78.1.78 Yes Device Tracking
                  Vethernet2 6766 10.78.1.76 Yes Device Tracking
                  - 545 99.10.10.10 Yes Cli Configured
                  
                  

                  Changing the SXP Retry Period

                  The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 60 seconds (1 minute). Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.

                  Before You Begin
                  • Log in to the CLI in EXEC mode.
                  • You must enable theCisco TrustSec SXP.
                  • You must enable the Cisco TrustSec feature.
                  • You must install the Advanced Services license.
                  Procedure
                      Command or Action Purpose
                    Step 1 switch# configure terminal 

                    Enters global configuration mode.

                     
                    Step 2 switch(config)# cts sxp retry-period seconds  

                    Specifies the SXP retry timer period. The default value is 60 seconds (1 minute). The range is from 0 to 64000.

                     
                    Step 3 switch(config)# show cts sxp   (Optional)

                    Displays the SXP configuration.

                     
                    Step 4 switch(config)# copy running-config startup-config  (Optional)

                    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                     

                    This example shows how to configure the SXP retry period:

                    switch# configure terminal
                    switch(config)# cts sxp retry-period 60
                    switch(config)# show cts sxp
                    CTS SXP Configuration:
                    SXP enabled
                    SXP retry timeout:60
                    SXP reconcile timeout:120
                    Minimum SXP Version: 1
                    Maximum SXP Version:1
                    switch(config)# 
                    

                    Changing the Interface Delete Hold Timer

                    The interface delete hold timer period determines how long the interface holds on to the IP-SGT mapping once the interface goes to a nonparticipating state. After the timer expires, the IP-SGT mappings are deleted from the interface and the peers.

                    Before You Begin
                    • Log in to the CLI in EXEC mode.
                    • You must enable the Cisco TrustSec SXP.
                    • You must enable the Cisco TrustSec feature.
                    • You must install the Advanced Services license.
                    Procedure
                        Command or Action Purpose
                      Step 1 switch# configure terminal 

                      Enters global configuration mode.

                       
                      Step 2 switch(config)# [no] cts interface delete-hold seconds  

                      Specifies the delete hold timer period for an interface. The default value is 60 seconds (1 minute). The range is from 0 to 64000.

                      If the timer is set to 0, the IP-SGT mappings are deleted instantly.

                      The no form of this command does not start the timer when the interface goes to a nonparticipating state and the IP-SGT entries are then always held on the interface.

                       
                      Step 3 switch(config)# show cts interface delete-hold timer   (Optional)

                      Displays the interface delete hold timer period.

                       
                      Step 4 switch(config)# copy running-config startup-config  (Optional)

                      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                       

                      This example shows how to configure the interface delete hold timer:

                      switch# configure terminal
                      switch(config)# cts interface delete-hold 60
                      switch(config)# show cts interface delete-hold timer
                      60
                      switch(config)# 
                      

                      Verifying the Cisco TrustSec Configuration

                      Use the following commands to verify the configuration:

                      Command Purpose

                      show cts

                      Displays the global Cisco TrustSec configuration on the Cisco Nexus 1000V.

                      show cts sxp

                      Displays the Cisco TrustSec SXP configuration.

                      show cts device tracking

                      Displays the Cisco TrustSec device tracking configuration.

                      show cts sxp connection

                      Displays Cisco TrustSec SXP connections.

                      show cts role-based sgt-map

                      Display the mapping of the IP address to SGT for Cisco TrustSec.

                      show cts ipsgt entries

                      Displays SXP SGT entries.

                      show cts interface delete-hold timer

                      Displays the Cisco TrustSec interface delete hold timer period.

                      show running-configuration cts

                      Displays the running configuration information for Cisco TrustSec.

                      Feature History for Cisco TrustSec

                      Feature Name

                      Feature Name

                      Releases

                      Cisco TrustSec

                      4.2(1)SV2(1.1)

                      This feature was introduced.