CTS
Cisco TrustSec (CTS) is a comprehensive security architecture that provides identity-based access control and encrypted communication across the network infrastructure. It uses Security Group Tags (SGTs) to classify and label traffic based on user identity, device type, or security posture, enabling consistent security policy enforcement regardless of network topology or IP addressing. TrustSec integrates authentication, authorization, encryption, and policy enforcement to create a secure network fabric that can adapt to changing security requirements and threat landscapes.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (iosxe.devices)
Section titled “configuration (iosxe.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| cts | Class | [cts] | No |
cts (iosxe.devices.configuration)
Section titled “cts (iosxe.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| authorization_list | String | No | ||
| role_based_enforcement_logging_interval | Integer | min: 5, max: 86400 | No | |
| role_based_enforcement_vlans | Class | [role_based_enforcement_vlans] | No | |
| role_based_permissions_default_acl_name | List | String | No | |
| sgt | Integer | min: 2, max: 65519 | No | |
| sxp_connection_peers_ipv4 | List | [sxp_connection_peers_ipv4] | No | |
| sxp_default_password | String | No | ||
| sxp_default_password_type | Choice | 0, 6, 7 | No | |
| sxp | Boolean | true, false | No | |
| sxp_listener_hold_max_time | Integer | min: 1, max: 65534 | No | |
| sxp_listener_hold_min_time | Integer | min: 1, max: 65534 | No | |
| sxp_retry_period | Integer | min: 0, max: 64000 | No | |
| sxp_speaker_hold_time | Integer | min: 1, max: 65534 | No |
role_based_enforcement_vlans (iosxe.devices.configuration.cts)
Section titled “role_based_enforcement_vlans (iosxe.devices.configuration.cts)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ids | List | Integer[min: 1, max: 4094] | No | |
| ranges | List | [ranges] | No |
sxp_connection_peers_ipv4 (iosxe.devices.configuration.cts)
Section titled “sxp_connection_peers_ipv4 (iosxe.devices.configuration.cts)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip | IP | Yes | ||
| vrf | String | No | ||
| connection_mode | Choice | local, peer | No | |
| hold_time | Integer | min: 0, max: 65535 | No | |
| max_time | Integer | min: 0, max: 65535 | No | |
| option | Choice | both, listener, speaker | No | |
| password | Choice | default, key-chain, none | No | |
| source_ip | IP | No |
ranges (iosxe.devices.configuration.cts.role_based_enforcement_vlans)
Section titled “ranges (iosxe.devices.configuration.cts.role_based_enforcement_vlans)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| from | Integer | min: 1, max: 4094 | Yes | |
| to | Integer | min: 1, max: 4094 | Yes |
Examples
Section titled “Examples”iosxe: devices: - name: Device1 configuration: cts: authorization_list: TRUSTSEC-AUTHZ-LIST role_based_enforcement_vlans: ids: [10, 20, 30] ranges: - from: 100 to: 200 - from: 300 to: 400 sgt: 100 sxp: true sxp_default_password: mypassword sxp_connection_peers_ipv4: - ip: 192.168.1.10 connection_mode: speaker