You are here
SEC0220 - ISE 2.0 TrustSec - SXP (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrates SXP capability on Cisco ISE 2.0 to relay SGT between SXP-capable network devices. We will use WLC as SXP speaker, while ASA and switch as listeners and enforcers. The switch has SGACL implemented from the previous video and the ASA will leverage SGT in its ACL. We will also look at Static SXP Mapping.
Part 1 of this video covers SXP configuration on Cisco ISE
Topic:
- SGT Exchange Protocol (SXP)
- SXP Speaker and Listener
- SGT Assignment on WLC
- Static SXP Mapping
- ACL with SGT on ASA
6 comments
CTS SXP
Lab:
I have a Cisco 2960-C user switch (SXP) trunked to a 3650 SGT core switch. Does the SXP hardware peer with ISE 2.0 or with the 3650-Core Switch?
cts sxp enable
cts sxp default source-ip 10.1.1.252
cts sxp default password 7 00074215070B5A545C
cts sxp connection peer 10.1.1.254 source 10.1.1.252 password default mode peer speaker hold-time 0 0
The 2960 (152-2.E4.bin) doesn't have "cts role-based enforcement" command. How does sxp utilize the SGACL from ISE 2.0 and configured on the 3560 switch to block icmp from the SGT metric.
CTS SXP
It could be either way; 2960 to 3650 or 2960 to ISE to 3650. SXP is only used to exchange SGT-to-IP mapping. As long as the mapping gets to 3650 on way or ther other, it should be able to enforce SGACL to incoming traffic.
CTS SXP
So SXP device like 2960-C or 3750-X doesn't enforce SGACL. If a user authenticates to a dot1x port on the 2960 or 3750-X. The switch exchanges SGT-to-IP mapping to the TrustSec 3650 device which can enforce the SGACL.
CTS SXP
Correct. Although 3750X appears to support SGACL per link below.
http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/tr...
2960-X
Based on the previous comments, what value is there in enabling the 2960-X as an SXP speaker? Can the SGT values be used within an dACL to enforce traffic restrictions such as segmenting workstation traffic on the same VLAN?
2960-X
Since 2960x cannot support SGACL, enabling SXP only allows IP-to-SGT mapping to be sent to another entity that do support SGACL. With ISE being able to run SXP, you also have an option to just have enforcement device get th mapping directly from ISE instead from 2960X access switch.