- Preface
- Software Licensing
- The Cisco IOS command-line interface (CLI)
- Configuring Interfaces
- Switch Alarms
- Initial Switch Configuration (IP address assignments and DHCP autoconfiguration)
- How to Setup and Use the Cisco Configuration Engine
- How to Create and Manage Switch Clusters
- Performing Switch Administration
- Configuring Precision Time Protocol (PTP)
- Configuring PROFINET
- Common Industrial Protocol (CIP)
- Configuring SDM Templates
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- MACsec
- Web-Based Authentication
- Configuring Smartports Macros
- Configuring SGACL Monitor Mode and SGACL Logging
- Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
- Configuring VLANs
- VLAN Trunking Protocol (VTP)
- Configuring Voice VLAN
- How to Configure Spanning Tree Protocol (STP)
- Configuring MSTP
- Configuring Optional Spanning-Tree Features
- Configuring Resilient Ethernet Protocol
- Configuring the FlexLinks and the MAC Address-Table Move Update
- Configuring DHCP
- Dynamic Address Resolution Protocol (ARP)
- Configuring IP Source Guard
- How to Configure Internet Group Management Protocol (IGMP) and Multicast VLAN Registration (MVR)
- Configuring Port-Based Traffic Control
- Configuring LLDP, LLDP-MED, and Wired Location Service
- Configuring SPAN and RSPAN
- One-to-one (1:1) Layer 2 Network Address Translation (NAT)
- How to Configure CDP
- Configuring UniDirectional Link Detection (UDLD)
- Configuring RMON
- Configuring System Message Logging
- Configuring Simple Network Management Protocol (SNMP)
- Network Security with ACLs
- Configuring Quality of Service (QoS)
- Configuring Static IP Unicast Routing
- Configuring IPv6 Host Functions
- Configuring Link State Tracking
- Configuring IP multicast routing
- Configuring Multicast Source Discovery Protocol (MSDP)
- Configuring Multicast Listener Discovery (MLD) snooping
- Configuring HSRP and VRRP
- Configuring IPv6 access control lists (ACLs)
- Configuring Embedded Event Manager (EEM)
- IP Unicast Routing
- IPv6 Unicast Routing
- Unicast Routing Overview
- Configuring Cisco IOS IP SLAs Operations
- Configuring Dying-Gasp
- How to Configure Enhanced Object Tracking
- Configuring MODBUS TCP
- Configuring Ethernet CFM
- Working with the Flash File System
- How to Configure EtherChannels
- Troubleshooting
- How to use a Secure Digital (SD) flash memory module (SD card)
- Cisco TrustSec SGT Exchange Protocol Feature Histories
- Configuring Cisco TrustSec SXP
- Configuring the Default SXP Password
- Configuring the Default SXP Source IP Address
- Changing the SXP Reconciliation Period
- Changing the SXP Retry Period
- Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
- Verifying the SXP Connections
- Configuring Cisco TrustSec Caching
Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on switches in your network.
This section includes the following topics:
■
Cisco TrustSec SGT Exchange Protocol Feature Histories
■Configuring Cisco TrustSec SXP
■Configuring the Default SXP Password
■Configuring the Default SXP Source IP Address
■Changing the SXP Reconciliation Period
■Changing the SXP Retry Period
■Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
■Verifying the SXP Connections
■Configuring Cisco TrustSec Caching
Cisco TrustSec SGT Exchange Protocol Feature Histories
For a list of supported TrustSec features per platform and the minimum required Cisco IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL: (final URL posted with TS 4.0)
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
Configuring Cisco TrustSec SXP
To configure Cisco TrustSec SXP, follow these steps:
1. Enable the Cisco TrustSec feature (see the “Configuring Identities, Connections, and SGTs” chapter in the Cisco TrustSec Switch Configuration Guide at: http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#wpxref29406).
2. Enable Cisco TrustSec SXP (see Enabling Cisco TrustSec SXP).
3. Configure SXP peer connections (see Configuring an SXP Peer Connection).
Enabling Cisco TrustSec SXP
You must enable Cisco TrustSec SXP before you can configure peer connections. To enable Cisco TrustSec SXP, perform this task:
|
|
|
|
|---|---|---|
|
|
||
|
|
||
|
|
Configuring an SXP Peer Connection
You must configure the SXP peer connection on both of the devices. One device is the speaker and the other is the listener. When using password protection, make sure to use the same password on both ends.
Note: If a default SXP source IP address is not configured and you do not configure an SXP source address in the connection, the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses. The SXP source address might be different for each TCP connection initiated from the switch.
To configure the SXP peer connection, perform this task:
This example shows how to enable SXP and configure the SXP peer connection on Switch A, a speaker, for connection to Switch B, a listener:
This example shows how to configure the SXP peer connection on Switch B, a listener, for connection to Switch A, a speaker:
Configuring the Default SXP Password
By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.
To configure a default SXP password, perform this task:
This example shows how to configure a default SXP password:
Configuring the Default SXP Source IP Address
SXP uses the default source IP address for all new TCP connections where a source IP address is not specified. There is no effect on existing TCP connections when you configure the default SXP source IP address.
To configure a default SXP source IP address, perform this task:
|
|
|
|
|---|---|---|
|
|
||
|
|
||
|
|
This example shows how to configure an SXP default source IP address:
Changing the SXP Reconciliation Period
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconciliation period timer starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.
To change the SXP reconciliation period, perform this task:
Changing the SXP Retry Period
The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
To change the SXP retry period, perform this task:
Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
When the cts sxp log binding-changes global configuration command is executed, SXP syslogs (sev 5 syslog) are generated whenever a change to IP address to SGT binding occurs (add, delete, change). These changes are learned and propagated on the SXP connection.
The default is no cts sxp log binding-changes.
To enable logging of binding changes, perform the following task:
|
|
|
|
|---|---|---|
|
|
||
|
|
Verifying the SXP Connections
To view the SXP connections, perform this task:
|
|
|
|
|---|---|---|
|
|
This example shows how to view the SXP connections:
Configuring Cisco TrustSec Caching
|
|
|
|
|---|---|---|
This feature was introduced on the Catalyst 6500 series switches. |
Enabling Cisco TrustSec Caching
For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.
Note: During extended outages, the Cisco TrustSec cache information is likely to become outdated.
To enable Cisco TrustSec caching, perform this task:
This example shows how to configure Cisco TrustSec caching, including non-volatile storage:
Clearing the Cisco TrustSec Cache
To clear the cache for Cisco TrustSec connections, perform this task:
|
|
|
|
|---|---|---|
|
|
This example shows how to clear the Cisco TrustSec cache:
Feedback