Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
5
Helpful
1
Replies

How to enable SXP via DNA? (For switches)

Steve Allen
Level 1
Level 1

‎07-06-2021 03:27 AM

I'm currently in the process of lab testing our DNAC / SDA deployment and I'm at the stage where I am testing policy enforcement via SGTs.

 

As part of our migration to SDA we will be using manual SGT mappings via ISE for some servers hosted in non-SDA sites (such as a data center). 

 

Within ISE I have created a manual SGT mapping for 1 test server. However, this mapping is not appearing on my SDA 'FIAB' switch and my test client laptop can still ping the test server even though I applied and SGT policy to block it.

 

From Googling it sounds like there is some SXP configuration missing on the switch so my question is, do I need to manually configure SXP or does DNAC take take of this for me? Any pointers or relevant documentation would be appreciated.

 

Thanks

Labels:
1 Reply 1

Benjamin-A
Level 1
Level 1

‎07-06-2021 04:23 AM

Hi,

 

If you want to use DNA Center to deploy SXP Configuration, then you will need to use the Template Editor and Network Profiles. As far as I know SXP is not automated.

 

Here is a Guide on how to configure SXP on a Catalyst.

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sxp_config.html

 

I used something like this:

!--- SXP Peering with Cisco ISE ---!
cts sxp enable
cts sxp default password <password>
cts sxp connection peer <ise-psn-ip> [ source src-ipv4-addr ] password [ default | none ] mode local listener [ vrf vrf-name ]

You can verify the connection with: show cts sxp connections

 


.:|:..:|:.Please rate helpful posts.:|:..:|:.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card