This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I’m planning TrustSec for a new network based on C9K switches.
If I would like to use 802.1x on access ports and dynamic classification with ISE, do I need SXP session from ISE to every access switch where dynamic classification occurs?
When endUser is authorized by ISE and dynamically classified (some SGT is applied), is the SXP only option to inform this switch about a tag?
I’m asking because I’m not sure if dynamic classification on access switches needs to take into consideration ISE scaling aspect.
In small ISE deployments very few SXP sessions are supported.
Solved! Go to Solution.
You can use the inline tagging method.SXP can be used in case if the device doesn't support inline tagging & SXP is to advertise IP-to-SGT mappings.
I found information about how it works in 3750 config guide. https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/116498-configure-cts-00.html
SGT is passed to the authenticator switch in the last packet of the 802.1x authentication session so no SXP session is needed here.
I have another question - if endUser_A is 802.1x authenticated on non Cisco (non trustSec) switch, and SXP session is estabilished from ISE to Cisco TrustSec capable switch,
-will Cisco switch be informed about IP-SGT binding through SXP?
-will Cisco switch propagate learned SGT, inline to other Cisco TrustSec switches in domain?
If end-user connects to the non-cisco switch, Am not sure whether all the 3rd party device understands trustsec.If the 3rd party switch doesn't understand trustsec, ISE won't have IP-to-SGT info of that enduser_A
- If SXP is built between ISE & any enforcement device, it will share the IP-to-SGT mapping (Both static & dynamic mapping)
-Once PAC is provisioned, the other switch in the domain will get all the environment data.