- New and Changed Information
- Preface
- Overview
- Tools
- Installation
- Licenses
- Upgrade
- High Availability
- VSM and VEM Modules
- L3Sec
- Ports
- Port Profiles
- Port Channels and Trunking
- Layer 2 Switching
- VLANs
- Private VLANs
- NetFlow
- ACLs
- Quality of Service
- SPAN
- Multicast IGMP
- DHCP, DAI, and IPSG
- Storm Control
- System
- Before Contacting Technical Support
- Network Segmentation Manager
- VXLANs
- VDP
- Cisco TrustSec
- vCenter Plug-in
- Ethanalyzer
- 802.1X
Cisco TrustSec
This chapter describes how to identify and resolve problems that might occur when configuring Cisco TrustSec and includes the following sections:
Information About Cisco TrustSec
The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms.
Cisco TrustSec also uses the device and user identification information acquired during authentication for classifying, or coloring, the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
See the Cisco Nexus 1000V Security Configuration Guide for more information on the Cisco TrustSec feature on Cisco Nexus 1000V.
Cisco TrustSec Troubleshooting Commands
This section contains the following topics:
Debugging Commands
Host Logging Commands
You can use the commands in this section to troubleshoot commands related to host logging.
|
|
---|---|
Enables DPA debug logging. Logs are output to the /var/log/vemdpa.log file. |
|
Enables TrustSec SXP agent debug logging. Logs are output to the /var/log/vemdpa.log file. |
|
Enables the data path debug logging and captures logs for the data packets sent between the client and the server. |
|
Enables the data path debug logging and captures logs for DHCP snooping configuration coming from the VSM. To view the logs, enable DHCP snooping on the Cisco Nexus 1000V. |
|
Enables the data path debug logging and captures logs corresponding to the binding database changes. To view the logs, enable DHCP snooping on the Cisco Nexus 1000V. |
|
Enables the data path debug logging and captures logs corresponding to the IP database that maintains the IP addresses for all the virtual machines that are being tracked using Cisco TrustSec device tracking. To view the logs, enable Cisco TrustSec device tracking on the Cisco Nexus 1000V. |
|
Displays the Cisco TrustSec configuration on the Cisco Nexus 1000V. See Example 27-1 on page 27-3 |
|
Displays if Cisco TrustSec is enabled on the Cisco Nexus 1000V. See Example 27-2 on page 27-3 |
|
Displays the Cisco TrustSec configuration on the Cisco Nexus 1000V. See Example 27-3 on page 27-3 |
Example
Example 27-1 vemcmd show learnt ip Command
Example 27-2 vemcmd show cts global Command
Example 27-3 vemcmd show cts ipsgt Command
show Commands
See the Cisco Nexus 1000V Command Reference for more information on the show commands for Cisco TrustSec.
Problems with Cisco TrustSec
This section includes symptoms, possible causes and solutions for the following problems with Cisco TrustSec.