Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport
You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on switches in your network.
This section includes the following topics:
■Cisco TrustSec SGT Exchange Protocol Feature Histories
■Configuring Cisco TrustSec SXP
■Configuring the Default SXP Password
■Configuring the Default SXP Source IP Address
■Changing the SXP Reconciliation Period
■Changing the SXP Retry Period
■Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
■Verifying the SXP Connections
■Configuring Cisco TrustSec Caching
Cisco TrustSec SGT Exchange Protocol Feature Histories
For a list of supported TrustSec features per platform and the minimum required Cisco IOS release, see
the Cisco TrustSec Platform Support Matrix at the following URL: (final URL posted with TS 4.0)
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
Otherwise, see product release notes for detailed feature introduction information.
Note: vrf aware sgt is currently not supported.
Configuring Cisco TrustSec SXP
To configure Cisco TrustSec SXP, follow these steps:
1. Enable the Cisco TrustSec feature (see the “Configuring Identities, Connections, and SGTs” chapter in the Cisco TrustSec Switch Configuration Guide at: http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.html#wpxref29406).
2. Enable Cisco TrustSec SXP (see Enabling Cisco TrustSec SXP).
3. Configure SXP peer connections (see Configuring an SXP Peer Connection).
Enabling Cisco TrustSec SXP
You must enable Cisco TrustSec SXP before you can configure peer connections. To enable Cisco TrustSec SXP, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters global configuration mode. |
2. |
Router(config)# [
no ]
cts sxp enable
|
Enables SXP for Cisco TrustSec. |
3. |
|
Exits configuration mode. |
Configuring an SXP Peer Connection
You must configure the SXP peer connection on both of the devices. One device is the speaker and the other is the listener. When using password protection, make sure to use the same password on both ends.
Note: If a default SXP source IP address is not configured and you do not configure an SXP source address in the connection, the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses. The SXP source address might be different for each TCP connection initiated from the switch.
To configure the SXP peer connection, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters global configuration mode. |
2. |
Router(config)#
cts sxp connection peer
peer-ipv4-addr [
source
src-ipv4-addr ]
password
{
default |
none ]
mode
{
local |
peer } {
speaker |
listener }
[
vrf
vrf-name ]
|
Configures the SXP address connection. The optional source keyword specifies the IPv4 address of the source device. If no address is specified, the connection will use the default source address, if configured, or the address of the port. The password keyword specifies the password that SXP will use for the connection using the following options: ■ default —Use the default SXP password you configured using the cts sxp default password command. ■ none —Do not use a password. The mode keyword specifies the role of the remote peer device: ■ local —The specified mode refers to the local device. ■ peer —The specified mode refers to the peer device. ■ speaker —Default. Specifies that the device is the speaker in the connection. ■ listener —Specifies that the device is the listener in the connection. The optional vrf keyword specifies the VRF to the peer. The default is the default VRF. |
3. |
|
Exits configuration mode. |
4. |
Router#
show cts sxp connections
|
(Optional) Displays the SXP connection information. |
This example shows how to enable SXP and configure the SXP peer connection on Switch A, a speaker, for connection to Switch B, a listener:
Router# configure terminal
Router(config)# cts sxp enable
Router(config)# cts sxp default password Cisco123
Router(config)# cts sxp default source-ip 10.10.1.1
Router(config)# cts sxp connection peer 10.20.2.2 password default mode local speaker
This example shows how to configure the SXP peer connection on Switch B, a listener, for connection to Switch A, a speaker:
Router# configure terminal
Router(config)# cts sxp enable
Router(config)# cts sxp default password Cisco123
Router(config)# cts sxp default source-ip 10.20.2.2
Router(config)# cts sxp connection peer 10.10.1.1 password default mode local listener
Configuring the Default SXP Password
By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.
To configure a default SXP password, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)#
cts sxp default
password [
0 |
6 |
7 ]
password
|
Configures the SXP default password. You can enter either a clear text password (using the 0 or no option) or an encrypted password (using the 6 or 7 option). The maximum password length is 32 characters. |
3. |
|
Exits configuration mode. |
This example shows how to configure a default SXP password:
Router# configure terminal
Router(config)# cts sxp default password Cisco123
Configuring the Default SXP Source IP Address
SXP uses the default source IP address for all new TCP connections where a source IP address is not specified. There is no effect on existing TCP connections when you configure the default SXP source IP address.
To configure a default SXP source IP address, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)#
cts sxp default source-ip
src-ip-addr
|
Configures the SXP default source IP address. |
3. |
|
Exits configuration mode. |
This example shows how to configure an SXP default source IP address:
Router# configure terminal
Router(config)# cts sxp default source-ip 10.20.2.2
Changing the SXP Reconciliation Period
After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconciliation period timer starts. While the SXP reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.
To change the SXP reconciliation period, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)#
cts sxp reconciliation period
seconds
|
Changes the SXP reconciliation timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000. |
3. |
|
Exits configuration mode. |
Changing the SXP Retry Period
The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
To change the SXP retry period, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)#
cts sxp retry period
seconds
|
Changes the SXP retry timer. The default value is 120 seconds (2 minutes). The range is from 0 to 64000. |
3. |
|
Exits configuration mode. |
Creating Syslogs to Capture Changes of IP Address to SGT Mapping Learned Through SXP
When the cts sxp log binding-changes global configuration command is executed, SXP syslogs (sev 5 syslog) are generated whenever a change to IP address to SGT binding occurs (add, delete, change). These changes are learned and propagated on the SXP connection.
The default is no cts sxp log binding-changes.
To enable logging of binding changes, perform the following task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)#
cts sxp log binding-changes
|
Turns on logging for IP to SGT binding changes. |
Verifying the SXP Connections
To view the SXP connections, perform this task:
|
|
|
1. |
Router#
show cts sxp connections [
brief ]
|
Displays SXP status and connections. |
This example shows how to view the SXP connections:
Router# show cts sxp connections
Default Source IP: 10.10.1.1
Connection retry open period: 10 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Connection mode : SXP Listener
TCP conn password: default SXP password
Duration since last state change: 0:00:21:25 (dd:hr:mm:sec)
Total num of SXP Connections = 1
Configuring Cisco TrustSec Caching
|
|
|
TrustSec Caching |
12.2(50) SY |
This feature was introduced on the Catalyst 6500 series switches. |
Enabling Cisco TrustSec Caching
For quick recovery from brief outages, you can enable caching of authentication, authorization, and policy information for Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory. The contents of NV memory populate DRAM during a reboot.
Note: During extended outages, the Cisco TrustSec cache information is likely to become outdated.
To enable Cisco TrustSec caching, perform this task:
|
|
|
1. |
Router#
configure terminal
|
Enters configuration mode. |
2. |
Router(config)# [
no ]
cts cache enable
|
Enables caching of authentication, authorization and environment-data information to DRAM. The default is disabled. The no form of this command deletes all cached information from DRAM and non-volatile storage. |
3. |
Router(config)# [
no ]
cts cache nv-storage {
bootdisk: |
bootflash: |
disk0: } [
directory
dir-name ]
|
When DRAM caching is enabled, enables DRAM cache updates to be written to non-volatile storage. Also enables DRAM cache to be initially populated from non-volatile storage when the device boots. |
4. |
|
Exits configuration mode. |
This example shows how to configure Cisco TrustSec caching, including non-volatile storage:
Router# configure terminal
Router(config)# cts cache enable
Router(config)# cts cache nv-storage bootdisk:
Clearing the Cisco TrustSec Cache
To clear the cache for Cisco TrustSec connections, perform this task:
|
|
|
1. |
Router#
clear cts cache [
authorization-policies
[
peer ] |
environment-data |
filename
filename |
interface-controller
[
type slot/port ]]
|
Clears the cache for Cisco TrustSec connection information. |
This example shows how to clear the Cisco TrustSec cache: