View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0063 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 2)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0062-63 - Video Download $10.00
Purchase SEC0062-63 - Video Download $10.00

 
The video demonstrates Cisco TrustSec support on Cisco ASA 9.1 with Cisco ISE. This lab is based on a 3750 switch that is not TrustSec hardware-capable but able to communicate IP-to-SGT mapping via SGT Exchange Protocol (SXP) to the ASA. We will be constructing an ACL based on SGT using the new Security object group. Cisco ISE will be mainly used to provide user authentication, SGT assignment, and the SGT-to-Name mapping to the ASA, although we will go over the remaining web interfaces for Security Group Access (SGA) and what you would need to configure to support the complete TrustSec implementation.

In part 2, we will configure SXP communication between switch and ASA, and integrate the ASA with Cisco ISE to download the SGT-to-Name mapping table. We will then construct an ACL on the ASA and perform testing.

Topic:

  • Security Group Access (SGA)
  • Security Group ACL (SGACL)
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)
  • SGT-to-Name Mapping
  • Cisco TrustSec support on ASA 9.1
  • SXP Config on a Switch and ASA
  • Security object Group

Notes:

  • SXP uses TCP 64999 so can work multiple hop

Reference:

Cisco TrustSec

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

4 comments

Hello Metha,
I how would Trustsec fit in in a network with No ASA, i have only Palo as my FW. would I be able still to implement Cisco Trust sec even without asa? I have Currently ISE in my network doing the guest and byod wireless auth.

Thanks!

TrustSec is specific to Cisco product, and to our knowledge, no other vendors integrates with it, certainly not Palo. 

Thanks Meta! Just to share some info from the community of ISE as well, they say partially it can be done without Cisco ASA, switch can be incorporated though.

https://community.cisco.com/t5/policy-and-access/need-trustsec-guidance/...

Correct.. switch is the integral part of Cisco TrustSecand we have videos on those. Thank you for sharing.

Lab Minutes Classifieds