Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
4
Helpful
6
Replies

SXP configuration

Go to solution
mnkojima
Level 1
Level 1

‎04-06-2023 07:23 AM

Hello

we are implementing TrustSec here and we have 2960x (only SXP speaker) as access switches and 9300 (enforcement) as core. I understand that, 9300 must receive IP-SGT mappings from other access switches by establishing an SXP communication with every 2960x of my network. Is that correct or there is another approach? My concern is about scalability, since we have many 2960x switches.

thank you

Marcos

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎04-11-2023 01:59 AM

This is possible but only of you enable inline tagging between the 4 x 9300's. Use SXP from 1/4 of the 2960's to 9300-1, the next 1/4 to 9300-2 etc. That way each 9300 will have mappings for each of it's 2960's. With inline tagging enabled between the 9300's, traffic will flow from the source 2960 to the source 9300, the source 9300 will be able to do a source SGT lookup (found via SXP mapping), and can propagate that inline towards the destination 9300. The destination 9300 will do a source SGT lookup, find it via inline/CMD, do a destination lookup and find it via SXP mapping, and enforce.

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎04-06-2023 09:06 AM

@mnkojima The 2960 do not support inline tagging, so you'd have to use SXP for the 9300 to receive the bindings from the endpoints connected to the 2960 access layer switches.

The 9300 can be an SXP listener and speaker and supports 256 SXP connnections (130 bidirectional) and a maximum of 10K ip/sgt bindings. https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-system-bulletin.pdf

How many 2960's/SXP connections and ip/sgt bindings do you envisage?

 

Go to solution
mnkojima
Level 1
Level 1
In response to Rob Ingram

‎04-10-2023 05:37 AM

Hi Rob

we have about 150 switches 2960x and, 20k ip/sgt bindings. Since we have 4 switches, I believe that we can distribute the 2960x SXP connections between those 4 switches and then create an SXP full mesh topology between them. Does it sound good?

Thank you

Marcos

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mnkojima

‎04-10-2023 06:04 AM

@mnkojima as per the link shared above the 9300 supports a maximum of 10K IP/SGT bindings so you'd exceed the capabilities of the 9300 switch. You'd have to purchase other hardware to use as the enforcement point, a firewall (ASA/FTD) would be better than a switch for enforcement.

Go to solution
mnkojima
Level 1
Level 1

‎04-10-2023 05:38 AM

just correcting: "4 switches 9300"

0 Helpful

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎04-11-2023 01:59 AM

This is possible but only of you enable inline tagging between the 4 x 9300's. Use SXP from 1/4 of the 2960's to 9300-1, the next 1/4 to 9300-2 etc. That way each 9300 will have mappings for each of it's 2960's. With inline tagging enabled between the 9300's, traffic will flow from the source 2960 to the source 9300, the source 9300 will be able to do a source SGT lookup (found via SXP mapping), and can propagate that inline towards the destination 9300. The destination 9300 will do a source SGT lookup, find it via inline/CMD, do a destination lookup and find it via SXP mapping, and enforce.

 

Go to solution
mnkojima
Level 1
Level 1

‎04-13-2023 04:37 AM

Thank you.

Instead of having SXP connections between all of 2960 with 9300, I can have SXP connection only between ISE and 9300's can't I?

0 Helpful
Customers Also Viewed These Support Documents