Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2822
Views
0
Helpful
1
Replies

SXP Connection Design

Go to solution
firefox
Cisco Employee
Cisco Employee

‎07-18-2018 02:33 AM - edited ‎03-11-2019 01:46 AM

Hi,

I am looking for a best practice guide for setting up SXP connections. I went through the basic ones that are available. I am looking for few suggestions on best setting up SXP tunnel between 9 C3650 switches. I observed that when SXP tunnels are setup in a mesh format with all the 9 switches, the CPU of the switch goes high. When its setup in a star format there is no issue with CPU. So, in this regard, is there a best practice guide to setup SXP connections, basically between switches? I do not have SXP between ISE and Switch.

Thanks

TJ

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kevin Regan
Cisco Employee
Cisco Employee

‎07-18-2018 06:27 AM

Tiju,

If you cannot use inline tagging between the switches and need SXP, https://communities.cisco.com/docs/DOC-75763 may help, alternatively if you download Darrin Miller’s BRKSEC-3690 slides from CiscoLive you will find some more detail on SXP reflector designs and how to use SXP path length filters. They are important with SXP reflector designs (look around slide 100 in his most recent Orlando delivery).

A mesh approach should be avoided, SXP reflector will be much more effective, please note that the path length limits came in 3.6(5), 3.7(4) and 16.3 onwards.

If all of the users/devices are going to be authorized by ISE, you may find it simpler to send SXP from ISE directly to the switches, then the switches only need to be configured as SXP listeners.

Hope that helps,

Kevin

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Kevin Regan
Cisco Employee
Cisco Employee

‎07-18-2018 06:27 AM

Tiju,

If you cannot use inline tagging between the switches and need SXP, https://communities.cisco.com/docs/DOC-75763 may help, alternatively if you download Darrin Miller’s BRKSEC-3690 slides from CiscoLive you will find some more detail on SXP reflector designs and how to use SXP path length filters. They are important with SXP reflector designs (look around slide 100 in his most recent Orlando delivery).

A mesh approach should be avoided, SXP reflector will be much more effective, please note that the path length limits came in 3.6(5), 3.7(4) and 16.3 onwards.

If all of the users/devices are going to be authorized by ISE, you may find it simpler to send SXP from ISE directly to the switches, then the switches only need to be configured as SXP listeners.

Hope that helps,

Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents