Cisco ASA Series Cli Configuration Manual page 909
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring the ASA to Integrate with Cisco TrustSec
Figure 1-2
End-Point
(AR)
1.
2.
3.
4.
5.
About Speaker and Listener Roles on the ASA
The ASA supports SXP to send and receive IP-SGT mappings to and from other network devices.
Employing SXP allows security devices and firewalls to learn identity information from access switches
without the need for hardware upgrades or changes. SXP can also be used to pass IP-SGT mappings from
upstream devices (such as datacenter devices) back to the downstream devices. The ASA can receive
information from both upstream and downstream directions.
Security Policy Enforcement
Authentication
SXP
Access
Switch
(PEP)
An end-point device connects to an access layer device directly or via remote access and
authenticates with Cisco TrustSec.
The access layer device authenticates the end-point device with the ISE by using authentication
methods such as 802.1X or web authentication. The end-point device passes role and group
membership to classify the device into the appropriate security group.
The access layer device uses SXP to propagate the IP-SGT mapping to the upstream devices.
The ASA receives the packet. Using the IP-SGT mapping passed by SXP, the ASA looks up the
SGTs for the source and destination IP addresses.
If the mapping is new, the ASA records it in its local IP-SGT Manager database. The IP-SGT
Manager database, which runs in the control plan, tracks IP-SGT mappings for each IPv4 or IPv6
address. The database records the source from which the mapping was learned. The peer IP address
of the SXP connection is used as the source of the mapping. Multiple sources can exist for each
IP-SGT mapping.
If the ASA is configured as a Speaker, the ASA transmits all IP-SGT mappings to its SXP peers. See
About Speaker and Listener Roles on the ASA, page
If a security policy is configured on the ASA with that SGT or security group name, the ASA
enforces the policy. (You can create security policies on the ASAthat contain SGTs or security group
names. To enforce policies based on security group names, the ASA needs the security group table
to map security group names to SGTs.)
If the ASA cannot find a security group name in the security group table and it is included in a
security policy, the ASA considers the security group name unknown and generates a system log
message. When it becomes know after the ASA refreshes the security group table from the ISE, the
ASA generates a system log message indicating that the security group name is known.
Information About the ASA Integrated with Cisco TrustSec
ISE (PDP/PAP)
User
Tag
SXP
Firewall
Switch
(PEP)
(PEP)
Tag
Policy
1-5.
Cisco ASA Series CLI Configuration Guide
AD (PIP)
Network
Data Flow
Tag
Policy
1-5
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
