Cisco TrustSec Configuration Manual page 127

Chapter 7 Cisco TrustSec Command Summary
Release
12.2 (53) SE2
12.2 (50) SY
Usage Guidelines When an SXP connection to a peer is configured with the cts sxp connection peer command, only the
connection mode can be changed. The vrf keyword is optional. If a VRF name is not provided or a VRF
name is provided with name "default," the connection is set up in the default routing or forwarding
domain.
The default setting for an SXP connection password is none. Because an SXP connection is configured
per IP address, a device with many peers can have as many SXP connections. The cts sxp default
password command sets the default SXP password to be optionally used for all SXP connections
configured on the device. The SXP password can be cleartext or encrypted with the
0 | 7 | 6 encrypted_key encryption type options. The default is type 0 (cleartext). If the encryption type
is 6 or 7, the encryption password argument must be a valid type 6 or type 7 ciphertext.
Use the no cts sxp default password command to delete the SXP password.
The cts sxp default source-ip command sets the default source IP address that SXP uses for all new TCP
connections where a source IP address is not specified. Pre-existing TCP connections are not affected
when this command is entered. SXP connections are governed by three timers:
•
•
•
Retry Timer
The Retry timer is triggered if there is at least one SXP connection that is not up. A new SXP connection
is attempted when this timer expires. Use the cts sxp retry period command to configure this timer
value. The default value is 120 seconds. The range is 0 to 64000 seconds. A zero value results in no retry
being attempted.
Delete Hold Down Timer
The Delete Hold Down timer value is not configurable and is set to 120 seconds. This timer is triggered
when an SXP listener connection goes down. The IP-SGT mappings learned from the down connection
are deleted when this timer expires. If the down connection is restored before the Delete Hold Down
timer expires, the Reconciliation timer is triggered.
Reconciliation Timer
After a peer terminates an SXP connection, an internal Delete Hold-down timer starts. If the peer
reconnects before the Delete Hold Down timer expires, the SXP Reconciliation timer starts. While the
SXP Reconciliation period timer is active, the Cisco TrustSec software retains the SGT mapping entries
learned from the previous connection and removes invalid entries. The default value is 120 seconds (2
minutes). Setting the SXP reconciliation period to 0 seconds disables the timer and causes all entries
from the previous connection to be removed. Use the cts sxp reconciliation period command to
configure this timer.
OL-22192-01
Modification
This command was introduced on the Catalyst 3750(X) series switches
without log binding-changes keyword).
The mapping keyword was added.
Retry timer
Delete Hold Down timer
Reconciliation timer
Cisco TrustSec Configuration Guide
cts sxp
7-41