CTS

Cisco TrustSec (CTS) is a comprehensive security architecture that provides identity-based access control and encrypted communication across the network infrastructure. It uses Security Group Tags (SGTs) to classify and label traffic based on user identity, device type, or security posture, enabling consistent security policy enforcement regardless of network topology or IP addressing. TrustSec integrates authentication, authorization, encryption, and policy enforcement to create a secure network fabric that can adapt to changing security requirements and threat landscapes.

Diagram

Classes

configuration (iosxe.devices)

Name	Type	Constraint	Mandatory	Default Value
cts	Class	`[cts]`	No

cts (iosxe.devices.configuration)

Name	Type	Constraint	Mandatory
authorization_list	String		No
role_based_enforcement_logging_interval	Integer	min: `5`, max: `86400`	No
role_based_enforcement_vlans	List	Integer[min: `1`, max: `4094`]	No
role_based_permissions_default_acl_name	List	String	No
sgt	Integer	min: `2`, max: `65519`	No
sxp_connection_peers_ipv4	List	`[sxp_connection_peers_ipv4]`	No
sxp_default_password	String		No
sxp_default_password_type	Choice	`0`, `6`, `7`	No
sxp	Boolean	`true`, `false`	No
sxp_listener_hold_max_time	Integer	min: `1`, max: `65534`	No
sxp_listener_hold_min_time	Integer	min: `1`, max: `65534`	No
sxp_retry_period	Integer	min: `0`, max: `64000`	No
sxp_speaker_hold_time	Integer	min: `1`, max: `65534`	No

sxp_connection_peers_ipv4 (iosxe.devices.configuration.cts)

Name	Type	Constraint	Mandatory
ip	IP		Yes
vrf	String		No
connection_mode	Choice	`local`, `peer`	No
hold_time	Integer	min: `0`, max: `65535`	No
max_time	Integer	min: `0`, max: `65535`	No
option	Choice	`both`, `listener`, `speaker`	No
password	Choice	`default`, `key-chain`, `none`	No
source_ip	IP		No

Examples

iosxe:
  devices:
    - name: Device1
      configuration:
        cts:
          authorization_list: TRUSTSEC-AUTHZ-LIST