View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0220 - ISE 2.0 TrustSec - SXP (Part 1)

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0220 - Video Download $14.00
Purchase SEC0220 - Video Download $14.00
The video demonstrates SXP capability on Cisco ISE 2.0 to relay SGT between SXP-capable network devices. We will use WLC as SXP speaker, while ASA and switch as listeners and enforcers. The switch has SGACL implemented from the previous video and the ASA will leverage SGT in its ACL. We will also look at Static SXP Mapping.
Part 1 of this video covers SXP configuration on Cisco ISE
  • SGT Exchange Protocol (SXP)
  • SXP Speaker and Listener
  • SGT Assignment on WLC
  • Static SXP Mapping
  • ACL with SGT on ASA

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


I have a Cisco 2960-C user switch (SXP) trunked to a 3650 SGT core switch. Does the SXP hardware peer with ISE 2.0 or with the 3650-Core Switch?
cts sxp enable
cts sxp default source-ip
cts sxp default password 7 00074215070B5A545C
cts sxp connection peer source password default mode peer speaker hold-time 0 0

The 2960 (152-2.E4.bin) doesn't have "cts role-based enforcement" command. How does sxp utilize the SGACL from ISE 2.0 and configured on the 3560 switch to block icmp from the SGT metric.

It could be either way; 2960 to 3650 or 2960 to ISE to 3650. SXP is only used to exchange SGT-to-IP mapping. As long as the mapping gets to 3650 on way or ther other, it should be able to enforce SGACL to incoming traffic.

So SXP device like 2960-C or 3750-X doesn't enforce SGACL. If a user authenticates to a dot1x port on the 2960 or 3750-X. The switch exchanges SGT-to-IP mapping to the TrustSec 3650 device which can enforce the SGACL.

Correct. Although 3750X appears to support SGACL per link below.

Based on the previous comments, what value is there in enabling the 2960-X as an SXP speaker? Can the SGT values be used within an dACL to enforce traffic restrictions such as segmenting workstation traffic on the same VLAN?

Since 2960x cannot support SGACL, enabling SXP only allows IP-to-SGT mapping to be sent to another entity that do support SGACL. With ISE being able to run SXP, you also have an option to just have enforcement device get th mapping directly from ISE instead from 2960X access switch.