Re: How to enable SXP via DNA? (For switches)

Steve Allen · ‎07-06-2021

I'm currently in the process of lab testing our DNAC / SDA deployment and I'm at the stage where I am testing policy enforcement via SGTs.

As part of our migration to SDA we will be using manual SGT mappings via ISE for some servers hosted in non-SDA sites (such as a data center).

Within ISE I have created a manual SGT mapping for 1 test server. However, this mapping is not appearing on my SDA 'FIAB' switch and my test client laptop can still ping the test server even though I applied and SGT policy to block it.

From Googling it sounds like there is some SXP configuration missing on the switch so my question is, do I need to manually configure SXP or does DNAC take take of this for me? Any pointers or relevant documentation would be appreciated.

Thanks

Benjamin-A · ‎07-06-2021

Hi,

If you want to use DNA Center to deploy SXP Configuration, then you will need to use the Template Editor and Network Profiles. As far as I know SXP is not automated.

Here is a Guide on how to configure SXP on a Catalyst.

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sxp_config.html

I used something like this:

!--- SXP Peering with Cisco ISE ---!
cts sxp enable
cts sxp default password <password>
cts sxp connection peer <ise-psn-ip> [ source src-ipv4-addr ] password [ default | none ] mode local listener [ vrf vrf-name ]

You can verify the connection with: show cts sxp connections

.:|:..:|:.Please rate helpful posts.:|:..:|:.