cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2160
Views
0
Helpful
5
Replies

CTS or CTS & SXP?

Jason Kopacko
Level 4
Level 4

I am in the process of testing out TrustSec and have a couple questions.

When I bring up a CTS session w/ PAC on an ASA to ISE,it seems that the ASA gets the environment data but only has a list of the IP:SGT tags it is directly responsible for. It appears I have to bring up SXP as well which doesn't make sense and requires additional work and seems like more overhead for ISE.

1 Accepted Solution

Accepted Solutions

Jason,

Good question but we need a protocol to propagate the tags which is SXP (uses TCP) in this case. Also think of this, what mappings would ASA need? Do we really need to send all the mappings or some. You are just thinking of ASA perspective which don't have much scaling limitations but what if I have a 3k? With SXP we have an option to send the selective mappings to the NADs as well from ISE.

I understand the Capex but we recommend dedicated node mainly for scaling but if you have a radius PSN acting also as an SXP node then it would obviously scale less.

View solution in original post

5 Replies 5

umahar
Cisco Employee
Cisco Employee

Jason, It is expected.

SXP is a way to propagate tags to TrustSec devices if tags cannot be propagated via inline SGT.

If you have an inline SGT environment, traffic reaching the ASAs will carry the source tag with itself and there will no need of SXP.

Ok, so for devices that support CTS, that is a way for the device to send data to ISE with the mappings. In order for the mappings that are external to the NAD, that's where setting up all the inline tagging between all the devices comes in, or a SXP connection to ISE. Correct?

Jason,

Two ways to propagate the tags in TrustSec:

First with InlineTagging: If the ASA is connected to some NAD then via Inline Tagging it could receive the source Tags of the endpoints from that NAD.

Next with SXP if the ASA is peered (listener) via SXP with a NAD (speaker) then it would receive the IP-SGT mappings from the NAD. Optionally if you are using ISE to share the mappings, like in your case then you need to create the SXP peering with ISE where ISE acting as the SXP Speaker would share the bindings of the endpoints and servers to the ASA.

As far as the performance impact on ISE is considered we recommend a dedicated SXP node on ISE which could scale upto 250,000 IP-SGT bindings with 250 concurrent SXP connections.

My issue is...if CTS is up and the environment and associated data can be communicated to a device (ASA in this case) why can't the mappings be sent as well.

It just seems like an additional connection point that is a duplication of effort.

Also, splitting off nodes for specific roles gets incredibly pricey from both a capex and opex perspective for purchase and smartnet.

Jason,

Good question but we need a protocol to propagate the tags which is SXP (uses TCP) in this case. Also think of this, what mappings would ASA need? Do we really need to send all the mappings or some. You are just thinking of ASA perspective which don't have much scaling limitations but what if I have a 3k? With SXP we have an option to send the selective mappings to the NADs as well from ISE.

I understand the Capex but we recommend dedicated node mainly for scaling but if you have a radius PSN acting also as an SXP node then it would obviously scale less.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: