Default Route SGT

rezaalikhani · ‎06-09-2025

Hi all;

I recall sharing a post several months ago regarding the "Default Route SGT" operation in Cisco ISE, as shown below:

https://community.cisco.com/t5/network-access-control/default-route-sgt/td-p/5022705

Recently, I decided to dedicate some time to revisiting TrustSec operations. To do this, I set up a lab environment using Cisco ISE 3.3 Patch 5 and a C8000v router running version 17.15.1a. I configured SXP between the devices, and they are communicating normally via SXP as expected:

Then, I created a new SGT on ISE with the following parameters:

The final step was to create the default route SGT on the router with the following configuration parameters:

As you can see above, the Listener part of the SXP connection from the current neighborship to ISE becomes down.

From ISE perspective:

Now my question is, why creating the default route SGT drops SXP connection (at least from the Listening perspective)?

Thanks

rezaalikhani · ‎08-11-2025

As I was unable to determine the reason for the previously mentioned event, I set up a lab with two Catalyst 8000v routers running IOS XE 17.15.1a, connected directly to each other. I successfully configured SXP peering between the two devices and then created the Default Route SGT on one of the routers. This time, the SXP connection did not drop, and everything worked as expected!

Could this behaviour be related to SXP version compatibility between ISE and the IOS XE device?

Thanks