Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport

You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on switches in your network.

This section includes the following topics:

Cisco TrustSec SGT Exchange Protocol Feature Histories

For a list of supported TrustSec features per platform and the minimum required IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL: (final URL posted with TS 4.0)

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Otherwise, see product release notes for detailed feature introduction information.

Configuring Cisco TrustSec SXP

To configure Cisco TrustSec SXP, follow these steps:

Step 1 Enable the Cisco TrustSec feature (see the “Configuring Identities, Connections, and SGTs” chapter in the Cisco TrustSec Switch Configuration Guide at: http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#wpxref29406 ).

Step 2 Enable Cisco TrustSec SXP (see the “Enabling Cisco TrustSec SXP” section).

Step 3 Configure SXP peer connections (see the “Configuring an SXP Peer Connection” section).

 

Enabling Cisco TrustSec SXP

You must enable Cisco TrustSec SXP before you can configure peer connections. To enable Cisco TrustSec SXP, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

Router(config)# [ no ] cts sxp enable

Enables SXP for Cisco TrustSec.

Step 3

Router(config)# exit

Exits configuration mode.

Configuring an SXP Peer Connection

You must configure the SXP peer connection on both of the devices. One device is the speaker and the other is the listener. When using password protection, make sure to use the same password on both ends.

Note If a default SXP source IP address is not configured and you do not configure an SXP source address in the connection, the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses. The SXP source address might be different for each TCP connection initiated from the switch.

To configure the SXP peer connection, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters global configuration mode.

Step 2

Router(config)# cts sxp connection
peer peer-ipv4-addr
 [ source src-ipv4-addr ]
password { default | none ] mode { local | peer } { speaker | listener }
[ vrf vrf-name ]

Configures the SXP address connection.

The optional source keyword specifies the IPv4 address of the source device. If no address is specified, the connection will use the default source address, if configured, or the address of the port.

The password keyword specifies the password that SXP will use for the connection using the following options:

  • default —Use the default SXP password you configured using the cts sxp default password command.
  • none —Do not use a password.

The mode keyword specifies the role of the remote peer device:

  • local —The specified mode refers to the local device.
  • peer —The specified mode refers to the peer device.
  • speaker —Default. Specifies that the device is the speaker in the connection.
  • listener —Specifies that the device is the listener in the connection.

The optional vrf keyword specifies the VRF to the peer. The default is the default VRF.

Step 3

Router(config)# exit

Exits configuration mode.

Step 4

Router# show cts sxp connections

(Optional) Displays the SXP connection information.

This example shows how to enable SXP and configure the SXP peer connection on Switch A, a speaker, for connection to Switch B, a listener:

Router# configure terminal
Router(config)# cts sxp enable
Router(config)# cts sxp default password Cisco123
Router(config)# cts sxp default source-ip 10.10.1.1
Router(config)# cts sxp connection peer 10.20.2.2 password default mode local speaker
 

This example shows how to configure the SXP peer connection on Switch B, a listener, for connection to Switch A, a speaker:

Router# configure terminal
Router(config)# cts sxp enable
Router(config)# cts sxp default password Cisco123
Router(config)# cts sxp default source-ip 10.20.2.2
Router(config)# cts sxp connection peer 10.10.1.1 password default mode local listener
 

Configuring the Default SXP Password

By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.

To configure a default SXP password, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# cts sxp default password [ 0 | 6 | 7 ] password

Configures the SXP default password. You can enter either a clear text password (using the 0 or no option) or an encrypted password (using the 6 or 7 option). The maximum password length is 32 characters.

Step 3

Router(config)# exit #

Exits configuration mode.

This example shows how to configure a default SXP password:

Router# configure terminal
Router(config)# cts sxp default password Cisco123
 

Configuring the Default SXP Source IP Address

SXP uses the default source IP address for all new TCP connections where a source IP address is not specified. There is no effect on existing TCP connections when you configure the default SXP source IP address.

To configure a default SXP source IP address, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# cts sxp default source-ip src-ip-addr

Configures the SXP default source IP address.

Step 3

Router(config)# exit

Exits configuration mode.

This example shows how to configure an SXP default source IP address:

Router# configure terminal
Router(config)# cts sxp default source-ip 10.20.2.2

Changing the SXP Reconciliation Period

After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconciliation period timer starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.

To change the SXP reconciliation period, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# cts sxp reconciliation period seconds

Changes the SXP reconciliation timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.

Step 3

Router(config)# exit

Exits configuration mode.

Changing the SXP Retry Period

The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.

To change the SXP retry period, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# cts sxp retry period seconds

Changes the SXP retry timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.

Step 3

Router(config)# exit

Exits configuration mode.

Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP

When the cts sxp log binding-changes global configuration command is executed, SXP syslogs (sev 5 syslog) are generated whenever a change to IP address to SGT binding occurs (add, delete, change). These changes are learned and propagated on the SXP connection.

The default is no cts sxp log binding-changes .

To enable logging of binding changes, perform the following task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# cts sxp log binding-changes

Turns on logging for IP to SGT binding changes.

Verifying the SXP Connections

To view the SXP connections, perform this task:

 

 
Command
Purpose

Step 1

Router# show cts sxp connections [ brief ]

Displays SXP status and connections.

This example shows how to view the SXP connections:

Router# show cts sxp connections
 
SXP : Enabled
Default Password : Set
Default Source IP: 10.10.1.1
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP : 10.20.2.2
Source IP : 10.10.1.1
Conn status : On
Conn Version : 2
Connection mode : SXP Listener
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Duration since last state change: 0:00:21:25 (dd:hr:mm:sec)
Total num of SXP Connections = 1

Configuring Cisco TrustSec Reflector for Cisco TrustSec-Incapable Switching Modules

 

Note The Cisco TrustSec supervisor ingress reflector and the Cisco TrustSec egress reflector are mutually exclusive. Do not enable both functions.

Egress reflector should be disabled when ERSPAN is configured.

To configure the Cisco TrustSec supervisor ingress reflector function, perform this task.

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# [ no ] platform cts ingress

Activates the Cisco TrustSec supervisor ingress reflector.

Step 3

Router(config)# exit

Exits configuration mode.

Step 4

Router# show platform cts

Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).

This example shows how to configure a Cisco TrustSec ingress reflector:

Router# configure terminal
Router(config)# platform cts ingress
Router(config)# exit
Router# show platform cts
CTS Ingress mode enabled

Note Before disabling the Cisco TrustSec ingress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.

To configure the Cisco TrustSec egress reflector function, perform this task.

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# [ no ] platform cts egress

Activates the Cisco TrustSec egress reflector.

Step 3

Router(config)# exit

Exits configuration mode.

Step 4

Router# show platform cts

Displays Cisco TrustSec reflector mode (Ingress, Egress, Pure, or No CTS).

This example shows how to configure a Cisco TrustSec egress reflector:

Router# configure terminal
Router(config)# platform cts egress
Router(config)# exit
Router# show platform cts
CTS Egress mode enabled

Note Before disabling the Cisco TrustSec egress reflector, you must remove power from the Cisco TrustSec-incapable switching modules.

Configuring Cisco TrustSec Caching

Enabling Cisco TrustSec Caching

For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.

Note During extended outages, the Cisco TrustSec cache information is likely to become outdated.

To enable Cisco TrustSec caching, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# configure terminal

Enters configuration mode.

Step 2

Router(config)# [ no ] cts cache enable

Enables caching of authentication, authorization and environment-data information to DRAM. The default is disabled.

The no form of this command deletes all cached information from DRAM and non-volatile storage.

Step 3

Router(config)# [ no ] cts cache nv-storage { bootdisk: | bootflash: | disk0: } [ directory dir-name ]

When DRAM caching is enabled, enables DRAM cache updates to be written to non-volatile storage. Also enables DRAM cache to be initially populated from non-volatile storage when the device boots.

Step 4

Router(config)# exit

Exits configuration mode.

This example shows how to configure Cisco TrustSec caching, including non-volatile storage:

Router# configure terminal
Router(config)# cts cache enable
Router(config)# cts cache nv-storage bootdisk:
Router(config)# exit

Clearing the Cisco TrustSec Cache

To clear the cache for Cisco TrustSec connections, perform this task:

Detailed Steps for Catalyst 6500

 

 
Command
Purpose

Step 1

Router# clear cts cache [ authorization-policies [ peer ] | environment-data | filename filename | interface-controller [ type slot/port ]]

Clears the cache for Cisco TrustSec connection information.

This example shows how to clear the Cisco TrustSec cache:

Router# clear cts cache