You are here
RS0033 - Nexus 1000V Cisco TrustSec with ASA 9.1
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Routing & Switching
The video looks into Cisco TrustSec feature on Cisco Nexus 1000V. We will configure port-profiles to assign SGT to hosts, and have SGT-to-IP mapping sent to an ASA firewall over a SXP connection for policy enforcement. We will see how we can construct an ACL on the ASA to permit or deny traffic based on SGT value using a object-group-security.
Notes:
-
As of version 4.2.1.SV2, Nexus 1000V
- cannot enforce access policy with SGT (SGACL)
- cannot insert SGT into packet
- does not support dynamic SGT assignment from a policy server (eg. ISE)
- Advanced license is required for Cisco TrustSec feature
Topic includes
- Cisco TrustSec on Nexus 1000V
- Security Group ACL (SGACL)
- Security Group Tag (SGT)
- SGT-to-Name Mapping
- Cisco TrustSec support on ASA 9.1
- SXP Config on a Switch and ASA
- Security object Group
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.