Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on switches in your network.
This section includes the following topics:
Cisco TrustSec SGT Exchange Protocol Feature Histories
For a list of supported TrustSec features per platform and the minimum required IOS release, see
the
Cisco TrustSec Platform Support Matrix
at the following URL: (final URL posted with TS 4.0)
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
Configuring Cisco TrustSec SXP
To configure Cisco TrustSec SXP, follow these steps:
Step 1 Enable the Cisco TrustSec feature (see the “Configuring Identities, Connections, and SGTs” chapter in the Cisco TrustSec Switch Configuration Guide at:
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#wpxref29406
).
Step 2 Enable Cisco TrustSec SXP (see the “Enabling Cisco TrustSec SXP” section).
Step 3 Configure SXP peer connections (see the “Configuring an SXP Peer Connection” section).
Enabling Cisco TrustSec SXP
You must enable Cisco TrustSec SXP before you can configure peer connections. To enable Cisco TrustSec SXP, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters global configuration mode.
|
Step 2
|
Router(config)# [
no
]
cts sxp enable
|
Enables SXP for Cisco TrustSec.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Configuring an SXP Peer Connection
You must configure the SXP peer connection on both of the devices. One device is the speaker and the other is the listener. When using password protection, make sure to use the same password on both ends.
Note If a default SXP source IP address is not configured and you do not configure an SXP source address in the connection, the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses. The SXP source address might be different for each TCP connection initiated from the switch.
To configure the SXP peer connection, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters global configuration mode.
|
Step 2
|
Router(config)#
cts sxp connection
peer
peer-ipv4-addr
[
source
src-ipv4-addr
]
password
{
default
|
none
]
mode
{
local
|
peer
} {
speaker
|
listener
}
[
vrf
vrf-name
]
|
Configures the SXP address connection.
The optional
source
keyword specifies the IPv4 address of the source device. If no address is specified, the connection will use the default source address, if configured, or the address of the port.
The
password
keyword specifies the password that SXP will use for the connection using the following options:
-
default
—Use the default SXP password you configured using the
cts sxp default password
command.
-
none
—Do not use a password.
The
mode
keyword specifies the role of the remote peer device:
-
local
—The specified mode refers to the local device.
-
peer
—The specified mode refers to the peer device.
-
speaker
—Default. Specifies that the device is the speaker in the connection.
-
listener
—Specifies that the device is the listener in the connection.
The optional
vrf
keyword specifies the VRF to the peer. The default is the default VRF.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Step 4
|
Router#
show cts sxp connections
|
(Optional) Displays the SXP connection information.
|
This example shows how to enable SXP and configure the SXP peer connection on Switch A, a speaker, for connection to Switch B, a listener:
Router# configure terminal Router(config)# cts sxp enable Router(config)# cts sxp default password Cisco123 Router(config)# cts sxp default source-ip 10.10.1.1 Router(config)# cts sxp connection peer 10.20.2.2 password default mode local speaker
This example shows how to configure the SXP peer connection on Switch B, a listener, for connection to Switch A, a speaker:
Router# configure terminal Router(config)# cts sxp enable Router(config)# cts sxp default password Cisco123 Router(config)# cts sxp default source-ip 10.20.2.2 Router(config)# cts sxp connection peer 10.10.1.1 password default mode local listener
Configuring the Default SXP Password
By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.
To configure a default SXP password, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)#
cts sxp default
password
[
0
|
6
|
7
]
password
|
Configures the SXP default password. You can enter either a clear text password (using the
0
or no option) or an encrypted password (using the
6
or
7
option). The maximum password length is 32 characters.
|
Step 3
|
Router(config)#
exit
#
|
Exits configuration mode.
|
This example shows how to configure a default SXP password:
Router# configure terminal Router(config)# cts sxp default password Cisco123
Configuring the Default SXP Source IP Address
SXP uses the default source IP address for all new TCP connections where a source IP address is not specified. There is no effect on existing TCP connections when you configure the default SXP source IP address.
To configure a default SXP source IP address, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)#
cts sxp default source-ip
src-ip-addr
|
Configures the SXP default source IP address.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
This example shows how to configure an SXP default source IP address:
Router# configure terminal Router(config)# cts sxp default source-ip 10.20.2.2
Changing the SXP Reconciliation Period
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconciliation period timer starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.
To change the SXP reconciliation period, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)#
cts sxp reconciliation period
seconds
|
Changes the SXP reconciliation timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Changing the SXP Retry Period
The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
To change the SXP retry period, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)#
cts sxp retry period
seconds
|
Changes the SXP retry timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
When the
cts sxp log binding-changes
global configuration command is executed, SXP syslogs (sev 5 syslog) are generated whenever a change to IP address to SGT binding occurs (add, delete, change). These changes are learned and propagated on the SXP connection.
The default is
no cts sxp log binding-changes
.
To enable logging of binding changes, perform the following task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)#
cts sxp log binding-changes
|
Turns on logging for IP to SGT binding changes.
|
Verifying the SXP Connections
To view the SXP connections, perform this task:
|
|
|
Step 1
|
Router#
show cts sxp connections
[
brief
]
|
Displays SXP status and connections.
|
This example shows how to view the SXP connections:
Router# show cts sxp connections Default Source IP: 10.10.1.1 Connection retry open period: 10 secs Reconcile period: 120 secs Retry open timer is not running ---------------------------------------------- Connection mode : SXP Listener TCP conn password: default SXP password Duration since last state change: 0:00:21:25 (dd:hr:mm:sec) Total num of SXP Connections = 1
Configuring Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules
Note The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually exclusive. Do not enable both functions.
Egress reflector should be disabled when ERSPAN is configured.
To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)# [
no
]
platform cts ingress
|
Activates the Cisco TrustSec supervisor ingress reflector.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Step 4
|
Router#
show platform cts
|
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).
|
This example shows how to configure a Cisco TrustSec ingress reflector:
Router# configure terminal Router(config)# platform cts ingress Router# show platform cts
Note Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
To configure the Cisco TrustSec egress reflector function, perform this task.
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)# [
no
]
platform cts egress
|
Activates the Cisco TrustSec egress reflector.
|
Step 3
|
Router(config)#
exit
|
Exits configuration mode.
|
Step 4
|
Router#
show platform cts
|
Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).
|
This example shows how to configure a Cisco TrustSec egress reflector:
Router# configure terminal Router(config)# platform cts egress Router# show platform cts
Note Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.
Configuring Cisco TrustSec Caching
Enabling Cisco TrustSec Caching
For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.
Note During extended outages, the Cisco TrustSec cache information is likely to become outdated.
To enable Cisco TrustSec caching, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
configure terminal
|
Enters configuration mode.
|
Step 2
|
Router(config)# [
no
]
cts cache enable
|
Enables caching of authentication, authorization and environment-data information to DRAM. The default is disabled.
The
no
form of this command deletes all cached information from DRAM and non-volatile storage.
|
Step 3
|
Router(config)# [
no
]
cts cache nv-storage
{
bootdisk:
|
bootflash:
|
disk0:
} [
directory
dir-name
]
|
When DRAM caching is enabled, enables DRAM cache updates to be written to non-volatile storage. Also enables DRAM cache to be initially populated from non-volatile storage when the device boots.
|
Step 4
|
Router(config)#
exit
|
Exits configuration mode.
|
This example shows how to configure Cisco TrustSec caching, including non-volatile storage:
Router# configure terminal Router(config)# cts cache enable Router(config)# cts cache nv-storage bootdisk:
Clearing the Cisco TrustSec Cache
To clear the cache for Cisco TrustSec connections, perform this task:
Detailed Steps for Catalyst 6500
|
|
|
Step 1
|
Router#
clear cts cache
[
authorization-policies
[
peer
] |
environment-data
|
filename
filename
|
interface-controller
[
type slot/port
]]
|
Clears the cache for Cisco TrustSec connection information.
|
This example shows how to clear the Cisco TrustSec cache: