SXP between C9300 and C2960X - Page 2

p11l · ‎05-03-2024

Hello everyone,

We would like to use our “old” C2960X devices, which we have in large numbers, to connect simple devices such as printers or PCs that do not require PoE.

The goal is to use SGT for these devices. I have already read that it is not possible to use the full range of functions for working with SGT with a C2960X. However, it is listed with Note 3: “Tier III does not have a full group base.” Policy functionality and support for classification and SXP-based propagation only.

So my question is how can I achieve this in an already usable SDA deployment? I drew a little picture.

The only SXP connection already used there is between DNA and ISE. Is it right? So I think I need to configure SXP between 2960X and 9300 in Edge mode. But how do I achieve this? Is it necessary to configure a trunk connection between these two devices or should it be a routed connection? All SDA devices connected in the underlay use IS-IS, the 2960X is not suitable for this.

I hope someone can help clarify this.

Thank you

andy!doesnt!like!uucp · ‎05-08-2024

Abstract from the partnumber of Fabric switch. Think in layers terms. SXP on the fabric Edge Nodes is not supported. Meaning u'll never be able to enforce RBAC on them using SGTs assigned by C2960Xs. Edge Nodes will not be aware about SGT's assigned to endpoints on the C2960X. Meaning u have to choose different layer in your fabric overlays to enforce RBAC with use of SGTs assigned on the C2960X. within your site it can be either BNs or FNs or local FWs (compatible with SXP|pxGrid).

p11l · ‎05-08-2024

Thanks, thats make it a little bit clearer to me. No SXP between Downstream and Edge Node.
That sounds like i peer 2960X with BN in Fabric Site with SXP?

With already existing connection between 2960X and ISE (for 802.1x) it should then be possible to use SGT?
Provided that the ISE rules and regulations are correct in assigning a corresponding SGT.

p11l · ‎05-08-2024

Please excuse my constant asking. I wouldn't ask if I knew how to do it.
I drew a new picture, would this be how the SXP binding would be created?
Also with the respective mode.
Thanks for further assistance

andy!doesnt!like!uucp · ‎05-08-2024

look, 1st of all u have to decide where u do RBAC enforcement.
read this document PowerPoint Presentation (ciscolive.com) (key-points r on slides 20 & 35) to decide what fits your needs better.

jedolphi · ‎05-09-2024

Hi,

Sorry for the slow reply. SDA is turnkey e2e LAN networking solution that is designed and tested against the CVDs, CVPs, and other use cases you see documented by the Cisco SDA team. We have not designed or tested SDA to support SXP on EN (Fabric Edge Node) switches, thus we don't support it. It might be possible to configure as a lab experiment, but TAC and engineering will not support EN SXP, it won't scale and it significantly complicates the SDA architecture. The SDA solution solves micro-segmentation at scale (100K+ endpoints per site, 1200+ ENs per site, 10K APs per site) within the Fabric Site by using data plane SGT.

Please do not peer 2960X SXP with BN, this also is not a validated design, you'll see no mention of this design in any Cisco collateral. Off hand I can think of several undesirable consequences to doing this! BN SXP peering is supported on the BN in the northbound direction (e.g. with ISE, or an SXP reflector) when required. To be clear though, SXP is not our best answer and there is complexity and scale tradeoffs, data plane SGT is always preferred as simpler and more scalable.

You can use 2960X as manual non-SDA L2 switch with no SGT policy support on the 2960X. You can also map SDA access VLAN to an SGT which gives some level of micro-segmentation for 2960X VLANs at the Edge Node, see BRKENS-2008 for details.

Cheers, Jerome

andy!doesnt!like!uucp · ‎05-09-2024

there is still n option to implement dynamic (via RADIUS AAA) endpoints classification (in SGT term) on the C2960X thus making ISE pxGrid bus aware of the IP(or other identity known to ISE)-to-SGT mapping & then from the enforcement point (e.g. pxGrid enabled FW like PaloAlto f.e.) to subscribe to ISE's pxGrid bus to pull that mapping. But still there is scalability limitation as per https://community.cisco.com/t5/network-access-control/pxgrid-scalability/td-p/3852257#:~:text=Maximum%20dedicated%20pxGrid%20node%20is%204%20%26%20maximum%20subscribers%20per%20pxGrid%20node%20are%20200.
With regard to suggestion to use VLAN-to-SGT mapping: i witness to customer case where they mainly need RBAC-based stateless filtering _within_ arbitrary VLAN to isolate traffic between different classes of devices (e.g. security cameras, door access controls, etc). Obviously neither VLAN-to-SGT mapping nor non-RBAC compatible switches nor pxGrid-enabled FWs are suitable here.

jedolphi · ‎05-10-2024

Hi Andy, agree that SGT can sill be dynamically assigned by ISE for endpoint connected to 2960X, thus populating ISE session table with IP:SGT for the endpoint, and then that IP:SGT pair can be advertised to FW or Border Node (over SXP or pxGrid). This design however will not give micro-segmentation within the SDA access VLAN or L3VN, so it should not be used if micro-segmentation within the Fabric Site is required.

p11l · ‎05-13-2024

Hi Andy and Jerome,

OK we shouldn't use SGT in productive systems - if - only for testing.

But is it possible to use different VN on 2960X connected to 9300?

User, Public, IoT etc. without use of SGT?

Static VN mapping to port?

andy!doesnt!like!uucp · ‎05-13-2024

C2960X dont support VRF.
Cisco Catalyst 2960-X and 2960-XR Series Switches Data Sheet - Cisco
it's generally weak idea to use it somewhere in SD-Access env

jedolphi · ‎05-14-2024

You could create several L3VN in SDA fabric with different VLAN IDs, trunk all those VLANs to 2960X, then assign different VLANs to different 2960X ports, see my rough diagram below. To Andy's point the 2960X is not automated by SDA, so there will be some manual configuration involved per 2960X, which could cost the network admin a lot of time.