Cisco ASA Series Cli Configuration Manual page 910

Information About the ASA Integrated with Cisco TrustSec
When configuring an SXP connection on the ASA to an SXP peer, you must designate the ASA as a
Speaker or a Listener for that connection so that it can exchange identity information:
•
•
If one end of an SXP connection is configured as Speaker, then the other end must be configured as a
Listener, and vice versa. If both devices on each end of an SXP connection are configured with the same
role (either both as Speakers or both as Listeners), the SXP connection will fail and the ASA will
generate a system log message.
Configuring the ASA to be both a Speaker and a Listener for an SXP connection can cause SXP looping,
meanings that SXP data can be received by an SXP peer that originally transmitted it.
As part of configuring SXP on the ASA, you configure an SXP reconcile timer. After an SXP peer
terminates its SXP connection, the ASA starts a hold down timer. Only SXP peers designated as Listener
devices can terminate a connection. If an SXP peer connects while the hold down timer is running, the
ASA starts the reconcile timer; then, the ASA updates the IP-SGT mapping database to learn the latest
mappings.
Features of the ASA-Cisco TrustSec Integration
The ASA leverages Cisco TrustSec as part of its identity-based firewall feature. The integrating the ASA
with Cisco TrustSec provides the following key features.
Flexibility
•
•
•
•
•
Availability
•
•
•
Scalability
The ASA supports the following number of IP-SGT mapped entries:
Cisco ASA Series CLI Configuration Guide
1-6
Speaker mode—configures the ASA so that it can forward all active IP-SGT mappings collected on
the ASA to upstream devices for policy enforcement.
Listener mode—configures the ASA so that it can receive IP-SGT mappings from downstream
devices (SGT-capable switches) and use that information in creating policy definitions.
The ASA can be configured as an SXP Speaker or Listener, or both.
See About Speaker and Listener Roles on the ASA, page
The ASA supports SXP for IPv6 and IPv6 capable network devices.
The ASA negotiates SXP versions with different SXP-capable network devices. SXP version
negotiation eliminates the need for static configuration of versions.
You can configure the ASA to refresh the security group table when the SXP reconcile timer expires
and you can download the security group table on demand. When the security group table on the
ASA is updated from the ISE, changes are reflected in the appropriate security policies.
The ASA supports security policies based on security group names in the source or destination
fields, or both. You can configure security policies on the ASA based on combinations of security
groups, IP address, Active Directory group/user name, and FQDN.
You can configure security group based policies on the ASA in Active/Active and Active/Standby
configuration.
The ASA can communicate with the ISE configured for high availability (HA).
If the PAC file downloaded from the ISE expires on the ASA and the ASA cannot download an
updated security group table, the ASA continues to enforce security policies based on the last
downloaded security group table until the ASA downloads an updated table.
Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
1-5.