Cisco ASA Series Configuration Manual page 94

Guidelines for Cisco TrustSec
IPv6
The ASA supports SXP for IPv6 and IPv6-capable network devices. The AAA server must use an IPv4
address.
Layer 2 SGT Imposition
Supported only on physical interfaces, VLAN interfaces, port channel interfaces, and redundant
•
interfaces.
• Not supported on logical interfaces or virtual interfaces, such as BVI.
Does not support link encryption using SAP negotiation and MACsec.
•
Not supported on failover links.
•
Not supported on cluster control links.
•
The ASA does not reclassify existing flows if the SGT is changed. Any policy decisions that were
•
made based on the previous SGT remain in force for the life of the flow. However, the ASA can
immediately reflect SGT changes on egress packets, even if the packets belong to a flow whose
classification was based on a previous SGT.
The hardware architecture of the ASA 5585-X is designed to load balance regular packets in an
•
optimal way, but this is not the case for inline tagged packets with Layer 2 Security Group Tagging
Imposition. Significant performance degradation on the ASA 5585-X may occur when it processes
incoming inline tagged packets. This issue does not occur with inline tagged packets on other ASA
platforms, as well as with untagged packets on the ASA 5585-X. One workaround is to offload
access policies so that minimal inline tagged packets go to the ASA 5585-X, which allows the
switches to handle tagged policy enforcement. Another workaround is to use SXP so that the ASA
5585-X can map the IP address to the security group tag without the need to receive tagged packets.
The ASASM does not support Layer 2 Security Group Tagging Imposition.
•
Additional Guidelines
• Cisco TrustSec supports the Smart Call Home feature in single context and multi-context mode, but
not in the system context.
The ASA can only be configured to interoperate in a single Cisco TrustSec domain.
•
The ASA does not support static configuration of SGT-name mapping on the device.
•
• NAT is not supported in SXP messages.
• SXP conveys IP-SGT mapping to enforcement points in the network. If an access layer switch
belongs to a different NAT domain than the enforcing point, the IP-SGT map that it uploads is
invalid, and an IP-SGT mapping database lookup on the enforcement device does not yield valid
results. As a result, the ASA cannot apply security group-aware security policy on the enforcement
device.
You can configure a default password for the ASA to use for SXP connections, or you can choose
•
not to use a password; however, connection-specific passwords are not supported for SXP peers. The
configured default SXP password should be consistent across the deployment network. If you
configure a connection-specific password, connections may fail and a warning message appears. If
you configure the connection with the default password, but it is not configured, the result is the
same as when you have configured the connection with no password.
SXP connection loops can form when a device has bidirectional connections to a peer or is part of
•
a unidirectionally connected chain of devices. (The ASA can learn IP-SGT mapping for resources
from the access layer in the data center. The ASA might need to propagate these tags to downstream
Cisco ASA Series Firewall CLI Configuration Guide
6-12
Chapter 6 ASA and Cisco TrustSec