Thanks a lot Jonothan.

it's clear now except for the point ( 'template' the configuration for SXP on each branch ) , I need an example or a document that illustrate this point "if available"

I just meant that SXP will need to be configured on ~1000 branches, from access switches to core. But apart from IP addresses etc the config will be the same on each branch. So, you could create some sort of script that substitutes IP addresses etc into the config needed to add SXP and use that to help in provisioning:

cts sxp enable

cts sxp default source-ip xx

cts sxp default password xx

cts sxp connection peer xx source xx password default mode local speaker

Just going to drop a note here.  I have had a very frustrating time trying to scale SXP even with dedicated ASR hardware "reflectors".  I'm not sure how far along you are in the planning your enforcement strategy but i'm certainly open to discussing some real world scenarios with you. 

Thanks a lot Damien, actually I'm struggling right now with my 1000 branches.

I was thinking that I can scale SXP using ISE as a listener and speaker to other branches but I was wrong after I found that ISE can only have maximum 200 SXP connection with v2.1 in release 6.3 system bulletin.

so please if you have solutions it will be appreciated to share with me

John, Make sure to enable path length filtering on the routers if you are planning to go with the SXP reflectors route. I would recommend configuring the maximum paths as 2.

cts sxp limit export peer-sequence-nodes 2

cts sxp limit import peer-sequence-nodes 2

Damien, I totally understand your frustration. I hope things are fine after the path length filtering you enabled on those SXP reflectors. Let me know if you have any other scaling issues with SXP.

Lets discuss offline if you're around at Cisco Live, we have had some developments since I talked to you at the security sevt. 

Sure Damien. We can discuss offline. I will be there at Cisco Live.

Hey Karthik and Damien, please include me in the mtg/discussion @ CiscoLive.

Thanks,

Ken

I am in the process of designing a similar solution with a mix of nexus 7700/F3/8.1.1 and Cisco catalyst 9300's at the access layer. There will be some basic enforcement from the branch to the data center, but largely the enforcement will be between devices at the location and between locations with enforcement being on the 9300. I'm looking for some of details regarding scaling you are mentioning. I'm considering a reflector approach, with the reflection being done on either a couple nexus 7700's or a couple ASR 1002x's. Thanks

Therein lies the rub. I agree with you. +/- 260 sites. We will have somewhere in the neighborhood of 400-500 9300 remote edge switches participating. We are also actively designing Cisco SD-wan so we will be able to handle the tagging natively long-term. The problem is the short term segmentation deadline. I’ve done my homework on SXP and ISE and the amount of compute necessary to get to the max of 800 sessions is massive and not doable. What am I planning doing is seeding the ip to sgt mappings from ISE to either a set of nexus switches are a set of ASR routers, and then I have listen only sxp sessions to the remote 9300 switches from the n7k/a1k. The nexus switches learn about the dynamic sessions from auth policies via ISE/SXP, and then the 9300’s learn the static mappings from the SXP reflectors. I’m leaning towards the A1K for SXP reflection since it seems to have the “cts sxp limit” commands that are recommended.

You could simplify this by having ISE be the central speaker of all IP-SGT mappings and no return SXP connections. ISE will already be the source of truth for IP-SGT mappings since it knows them/learns them during authentication, you do not need to communicate them back to ISE.

Building SXP connections from reflectors to the access layer isn't a requirement if you are willing to utilize inline tagging in the LAN. Take this as an example of what may help it scale better.

You send these IP-SGT mappings to an ASR 1k with a speaker connection from ISE, then use the ASR 1k to speak them down to the WAN edge at sites. To scale this out a bit better, you could create a three tier topology, ISE speaker > ASR speaker > ISR 4k listener. Then within the LAN you leverage cts manual to perform inline tagging throughout the site. The ISR 4k utilizing the SXP IP-SGT mappings it learns, will retag any traffic egressing it's LAN interfaces. The core/distribution/access would be configured for inline tagging and sgacl enforcement. It doesn't have to be an ISR 4k either, they are just a reasonably scalable platform when it comes to mappings, this would work with legacy ISR G2 platforms.

This assumes you have inline tagging capable hardware from the remote site WAN edge down to the access layer.