05-17-2019 12:17 AM
I’m planning TrustSec for a new network based on C9K switches.
If I would like to use 802.1x on access ports and dynamic classification with ISE, do I need SXP session from ISE to every access switch where dynamic classification occurs?
When endUser is authorized by ISE and dynamically classified (some SGT is applied), is the SXP only option to inform this switch about a tag?
I’m asking because I’m not sure if dynamic classification on access switches needs to take into consideration ISE scaling aspect.
In small ISE deployments very few SXP sessions are supported.
Solved! Go to Solution.
05-17-2019 07:14 AM
05-17-2019 08:06 AM
05-17-2019 01:09 AM
You can use the inline tagging method.SXP can be used in case if the device doesn't support inline tagging & SXP is to advertise IP-to-SGT mappings.
05-17-2019 01:58 AM
I found information about how it works in 3750 config guide. https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/identity-based-networking-service/116498-configure-cts-00.html
SGT is passed to the authenticator switch in the last packet of the 802.1x authentication session so no SXP session is needed here.
I have another question - if endUser_A is 802.1x authenticated on non Cisco (non trustSec) switch, and SXP session is estabilished from ISE to Cisco TrustSec capable switch,
-will Cisco switch be informed about IP-SGT binding through SXP?
-will Cisco switch propagate learned SGT, inline to other Cisco TrustSec switches in domain?
05-17-2019 04:39 AM
If end-user connects to the non-cisco switch, Am not sure whether all the 3rd party device understands trustsec.If the 3rd party switch doesn't understand trustsec, ISE won't have IP-to-SGT info of that enduser_A
- If SXP is built between ISE & any enforcement device, it will share the IP-to-SGT mapping (Both static & dynamic mapping)
-Once PAC is provisioned, the other switch in the domain will get all the environment data.
05-17-2019 07:14 AM
05-17-2019 08:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide