Hi RJI,

Thanks for the reply. So the switch configuration is

SWITCH# cts sxp connection peer <ISE PSN IP> password default mode local speaker

The 2960x has to send it's SXP bindings somewhere upstream in order for enforcement to take place, eg on a Distribution layer/WAN layer switch/router, not the ISE PSN (as per your example). The 2960x switch will learn the SGT's when a device/user is authenticated and assigned a SGT, SXP is used to transport the bindings over the network in order for enforcement to take place.

HTH

Thanks for the reply RJ.

So meaning if this is my diagram

C2960 -->C4500x --->NXS9k <--- ISE PSN

C2960 is connected to 4500 - sxp connection peer is C4500

C4500 will be the enforcer - role-base enforcement

ISE is connected to Nexus 9k. Traditional nexus 9k is not supported.

Yes, the 4500x supports enforcement so you could peer all 2960x switches to it an enforce on the 4500x.

Check out the platform scalability table in this link for the number of SXP connections and number of SGT bindings the 4500x supports and whether this will be suitable for your environment.

Also make sure the 2960x/4500x are all running the recommended version in the links I provided.

Thank you so much RJ.

I already saw the link and all C2960 is supported. Cisco TrustSec Guideline is very limited that's why is really hard for me on how to start the configuration :(