TrustSec Troubleshooting on Edge Node Switch in SDA environment

TrustSec Troubleshooting on Edge Node Switch in SDA environment

Before we start with the basics commands used to troubleshoot the TrustSec on the Edge node switch in the SDA environment, let see what this TrustSec is all about.

Cisco TrustSec developed to simplify provisioning and managing of secure access to network services in a campus environment. The policies in TrustSec are group-based that make security policies consistent throughout the network. 

Fig 1.1- Cisco TrustSec

It simplifies the complex task of maintaining security policies. With TrustSec, wired and wireless policies are common as they are not dependent on network topologies and are defined using groups.

Cisco TrustSec does not simply combine standards-based identity and enforcement models such as IEEE 802.1X and VLAN control, it also includes many advanced features such as flexible authentication, Downloadable Access Control Lists (dACLs), Security Group Tagging (SGT), device profiling, posture assessments, and many others.

A policy group tag (SGT) is assigned to an endpoint based on rich attributes such as user, device type, device posture status, location, etc. Scalable Group Tag (SGT) is a 16-bit tag assigned by the Cisco ISE to the endpoint using dynamic and static methods. 

Dynamic classification is used in the access layer by using dynamic authentication methods like 802.1x, MAB, or WebAuth. Static classification is used on the Data Center switches where servers are connected.

For more in details, Please check the article below

Cisco TrustSec - Simplified Network Access Control Policies

We will discuss on the commands used to troubleshoot the TrustSec in Cisco SDA environment.

Command No1

NDNA-Switch1# show cts environment-data

CTS Environment Data
Current state = COMPLETE
Last status = Successful
Local Device SGT:
  SGT tag = 216-22:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-000B, 2 server(s):
 *Server:, port 1812, A-ID 3X0P672A296F212FUEC21S27E4A2579N
          Status = DEAD
          auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
 *Server:, port 1812, A-ID 3X08674A806S217FUEC21C24E4A3549N
          Status = DEAD
Security Group Name Table:

The above command displays TrustSec environment data, useful for identifying scalable groups pushed to edge node.

Command No2

NDNA-Switch1# show cts role-based sgt-map vrf NDNA-PROD all

%IPv6 protocol is not enabled in VRF NDNA-PROD
Active IPv4-SGT Bindings Information
IP Address              SGT     Source
============================================               216     INTERNAL               216     INTERNAL               216     INTERNAL

IP-SGT Active Bindings Summary
Total number of INTERNAL bindings = 3
Total number of active   bindings = 3

The above command shows IP to SGT mapping in the edge node. An edge node will have mappings for endpoints connected directly or through an AP or extended node.

Command No3

NDNA-Switch1# show cts role-based counters

It provides information on the exit edge node about SGACL being applied. 

Command No4

NDNA-Switch1#show cts role-based permissions

It shows SGACL configured in ISE and pushed to the edge device. 

These are generally the 4 commands used for the troubleshooting TrustSec on Edge node switch. We will come up with another component in SDA environment so that if you are going to troubleshoot you may know about it.