Speaker And Listener Roles On The Asa - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About Cisco TrustSec
Tip
We recommend that you schedule policy configuration changes on the ISE during a maintenance
window, then manually refresh the security group table on the ASA to make sure the security group
changes have been incorporated.
Handling policy configuration changes in this way maximizes the chances of security group name
resolution and immediate activation of security policies.
The security group table is automatically refreshed when the environment data timer expires. You can
also trigger a security group table refresh on demand.
If a security group changes on the ISE, the following events occur when the ASA refreshes the security
group table:
•
•
•
•
•
•
•
Speaker and Listener Roles on the ASA
The ASA supports SXP to send and receive IP-SGT mapping entries to and from other network devices.
Using SXP allows security devices and firewalls to learn identity information from access switches
without the need for hardware upgrades or changes. SXP can also be used to pass IP-SGT mapping
entries from upstream devices (such as data center devices) back to downstream devices. The ASA can
receive information from both upstream and downstream directions.
When configuring an SXP connection on the ASA to an SXP peer, you must designate the ASA as a
Speaker or a Listener for that connection so that it can exchange Identity information:
•
•
Cisco ASA Series Firewall CLI Configuration Guide
6-6
Only security group policies that have been configured using security group names need to be
resolved with the security group table. Policies that include security group tags are always active.
When the security group table is available for the first time, all policies with security group names
are walked through, security group names are resolved, and policies are activated. All policies with
tags are walked through, and syslogs are generated for unknown tags.
If the security group table has expired, policies continue to be enforced according to the most
recently downloaded security group table until you clear it, or a new table becomes available.
When a resolved security group name becomes unknown on the ASA, it deactivates the security
policy; however, the security policy persists in the ASA running configuration.
If an existing security group is deleted on the PAP, a previously known security group tag can
become unknown, but no change in policy status occurs on the ASA. A previously known security
group name can become unresolved, and the policy is then inactivated. If the security group name
is reused, the policy is recompiled using the new tag.
If a new security group is added on the PAP, a previously unknown security group tag can become
known, a syslog message is generated, but no change in policy status occurs. A previously unknown
security group name can become resolved, and associated policies are then activated.
If a tag has been renamed on the PAP, policies that were configured using tags display the new name,
and no change in policy status occurs. Policies that were configured with security group names are
recompiled using the new tag value.
Speaker mode—Configures the ASA so that it can forward all active IP-SGT mapping entries
collected on the ASA to upstream devices for policy enforcement.
Listener mode—Configures the ASA so that it can receive IP-SGT mapping entries from
downstream devices (SGT-capable switches) and use that information to create policy definitions.
Chapter 6
ASA and Cisco TrustSec
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
