The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to identify and resolve problems that might occur when configuring Cisco TrustSec and includes the following sections:
The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Each device in the cloud is authenticated by its neighbors. Communication on the links between devices in the cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms.
Cisco TrustSec also uses the device and user identification information acquired during authentication for classifying, or coloring, the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.
See the Cisco Nexus 1000 Virtual Edge for VMware vSphere Security Configuration Guide for more information on the Cisco TrustSec feature on Cisco Nexus 1000VE.
This section contains the following topics:
You can use the commands in this section to troubleshoot commands related to VSE logging. Logging commands needs to be executed directly by login to VSE..
|
|
---|---|
Enables DPA debug logging. Logs are output to the /var/log/vemdpa.log file. |
|
Enables TrustSec SXP agent debug logging. Logs are output to the /var/log/vemdpa.log file. |
|
Enables the data path debug logging and captures logs for the data packets sent between the client and the server. |
|
Enables the data path debug logging and captures logs corresponding to the IP database that maintains the IP addresses for all the virtual machines that are being tracked using Cisco TrustSec device tracking. To view the logs, enable Cisco TrustSec device tracking on the Cisco Nexus 1000VE. |
|
Displays the Cisco TrustSec configuration on the Cisco Nexus 1000VE. See Example 16-1 on page 16-3 |
|
Displays if Cisco TrustSec is enabled on the Cisco Nexus 1000VE. See Example 16-2 on page 16-3 |
|
Displays the Cisco TrustSec configuration command specific to IP-to-SGT mapping on Cisco Nexus 1000VE. See Example 16-3 on page 16-4 |
|
Displays the Cisco TrustSec configuration specific to Subnet-to-SGT mapping on Cisco Nexus 1000VE. See Example 16-4 on page 16-4 |
|
Displays the Cisco TrustSec Role-Based access-list names and counters matching the ACEs in the access-list. (Permit/Deny/No-Match). See Example 16-5 on page 16-4 |
|
Displays the Cisco TrustSec Role-Based policies where source sgt to destination sgt mapping with RBACL. See Example 16-6 on page 16-4 . |
vemcmd can be executed by directly logging in to VSE or directly from VSM using module vse #vse-module-number execute vemcmd complete command.
Example 16-1 vemcmd show learnt ip Command
Example 16-2 vemcmd show cts global Command
Example 16-3 vemcmd show cts ipsgt Command
Example 16-4 vemcmd show cts subnet-sgt-map ip
Example 16-5 vemcmd show cts access-list
Example 16-6 vemcmd show cts policy
See the Cisco Nexus 1000VE Command Reference for more information on the show commands for Cisco TrustSec.
This section includes symptoms, possible causes and solutions for the following problems with Cisco TrustSec.