Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring Cisco TrustSec SXP
Downloads: This chapterpdf (PDF - 1.27MB) The complete bookPDF (PDF - 18.89MB) | Feedback

Configuring Cisco TrustSec SXP

Information About Cisco TrustSec SXP

Cisco TrustSec enables organizations to secure their networks and services through identity-based access control to anyone, anywhere, anytime. The solution also offers data integrity and confidentiality services, policy-based governance, and centralized monitoring, troubleshooting, and reporting services. TrustSec can be combined with personalized, professional service offerings to simplify solution deployment and management, and is a foundational security component to Cisco Borderless Networks.

The Cisco TrustSec security architecture builds secure networks by establishing domains of trusted network devices. Each device in the domain is authenticated by its peers. Communication on the links between devices in the domain is secured with a combination of encryption, message integrity check, and data-path replay protection mechanisms. Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by security groups (SGs) as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be correctly identified to apply security and other policy criteria along the data path. The tag, called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.

One of the components of Cisco TrustSec architecture is the security group-based access control. In the security group-based access control component, access policies in the Cisco TrustSec domain are topology-independent, based on the roles (as indicated by security group number) of source and destination devices rather than on network addresses. Individual packets are tagged with the security group number of the source.

Cisco devices use the SGT Exchange Protocol (SXP) to propagate SGTs across network devices that do not have hardware support for Cisco TrustSec. SXP is the software solution to avoid CTS hardware upgrade on all switches. WLC will be supporting SXP as part of TrustSec Architecture. The SXP sends SGT information to the CTS-enabled switches so that appropriate role-based access control lists (RBACLs) can be activated depending on the role information represented by the SGT. By default, the controller always works in the Speaker mode. To implement the SXP on a network, only the egress distribution switch needs to be CTS-enabled, and all the other switches can be non-CTS-capable switches.

The SXP runs between any access layer and distribution switch or between two distribution switches. The SXP uses TCP as the transport layer. CTS authentication is performed for any host (client) joining the network on the access layer switch similar to an access switch with CTS-enabled hardware. The access layer switch is not CTS hardware enabled. Therefore, data traffic is not encrypted or cryptographically authenticated when it passes through the access layer switch. The SXP is used to pass the IP address of the authenticated device, that is a wireless client, and the corresponding SGT up to the distribution switch. If the distribution switch is CTS hardware enabled, the switch inserts the SGT into the packet on behalf of the access layer switch. If the distribution switch is not CTS hardware enabled, the SXP on the distribution switch passes the IP-SGT mapping to all the distribution switches that have CTS hardware. On the egress side, the enforcement of the RBACL occurs at the egress L3 interface on the distribution switch.

The following are some guidelines for Cisco TrustSec SXP:
  • SXP is supported on the following security policies only:
    • WPA2-dot1x
    • WPA-dot1x
    • 802.1x (Dynamic WEP)
    • MAC Filtering using RADIUS servers
    • Web authentication using RADIUS servers for user authentication
  • SXP is supported for both IPv4 and IPv6 clients.
  • Controller always operates in the Speaker mode.

For more information about Cisco TrustSec, see http:/​/​​en/​US/​netsol/​ns1051/​index.html.

Restrictions for Cisco TrustSec SXP

  • SXP is not supported on FlexConnect access points.
  • SXP is supported only in centrally switched networks that have central authentication.
  • By default, SXP is supported for APs that work in local mode only.
  • The configuration of the default password should be consistent for both controller and the switch.
  • Fault tolerance is not supported because fault tolerance requires local switching on APs.
  • Static IP-SGT mapping for local authentication of users is not supported.
  • IP-SGT mapping requires authentication with external ACS servers.
  • In auto-anchor mobility mode the controller does not update client IP-SGT information through mobility messages. The connected switches of both the controllers must have an SXP connection established between them for IP-SGT mapping updates.

Configuring Cisco TrustSec SXP (GUI)

    Step 1   Choose Security > TrustSec SXP to open the SXP Configuration page. This page lists the following SXP configuration details:
    • Total SXP Connections—Number of SXP connections that are configured.
    • SXP State—Status of SXP connections as either disabled or enabled.
    • SXP Mode—SXP mode of the controller. The controller is always set to Speaker mode for SXP connections.
    • Default Password—Password for MD5 authentication of SXP messages. We recommend that the password contain a minimum of 6 characters.
    • Default Source IP—IP address of the management interface. SXP uses the default source IP address for all new TCP connections.
    • Retry Period—SXP retry timer. The default value is 120 seconds (2 minutes). The valid range is 0 to 64000 seconds. The SXP retry period determines how often the controller retries for an SXP connection. When an SXP connection is not successfully set up, the controller makes a new attempt to set up the connection after the SXP retry period timer expires. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.

    This page also displays the following information about SXP connections:

    • Peer IP Address—The IP address of the peer, that is the IP address of the next hop switch to which the controller is connected. There is no effect on the existing TCP connections when you configure a new peer connection.
    • Source IP Address—The IP address of the source, that is the management IP address of the controller.
    • Connection Status—Status of the SXP connection.
    Step 2   From the SXP State drop-down list, choose Enabled to enable Cisco TrustSec SXP.
    Step 3   Enter the default password that should be used to make an SXP connection. We recommend that the password contain a minimum of 6 characters.
    Step 4   In the Retry Period box, enter the time in seconds that determines how often the Cisco TrustSec software retries for an SXP connection.
    Step 5   Click Apply.

    Creating a New SXP Connection (GUI)

      Step 1   Choose SECURITY > TrustSec SXP and click New to open the SXP Connection > New page.
      Step 2   In the Peer IP Address text box, enter the IP address of the next hop switch to which the controller is connected.
      Step 3   Click Apply.

      Configuring Cisco TrustSec SXP (CLI)

      • Enable or disable the SXP on the controller by entering this command:

        config cts sxp { enable | disable}

      • Configure the default password for MD5 Authentication of SXP messages by entering this command:

        config cts sxp default password password

      • Configure the IP address of the next hop switch with which the controller is connected by entering this command:

        config cts sxp connection peer ip-address

      • Configure the interval between connection attempts by entering this command:

        config cts sxp retry period time-in-seconds

      • Remove an SXP connection by entering this command:

        config cts sxp connection delete ip-address

      • See a summary of SXP configuration by entering this command:

        show cts sxp summary

        Information similar to the following appears:

        SXP State........................................ Enable
        SXP Mode......................................... Speaker
        Default Password................................. ****
        Default Source IP................................
        Connection retry open period .................... 120

      • See the list of SXP connections that are configured by entering this command:

        show cts sxp connections

        Information similar to the following appears:

        Total num of SXP Connections..................... 1
        SXP State........................................ Enable
        Peer IP            Source IP           Connection Status
        ---------------    ---------------     -----------------              On

      • Establish connection between the controller and a Cisco Nexus 7000 Series switch by following either of these steps:

        • Enter the following commands:
          1. config cts sxp version sxp version 1 or 2 1
          2. config cts sxp disable
          3. config cts sxp enable
        • If SXP version 2 is used on the controller and version 1 is used on the Cisco Nexus 7000 Series switch, an amount of retry period is required to establish the connection. We recommend that you initially have less interval between connection attempts. The default is 120 seconds.