Layer 3 Sgt Transport For Spanning Non-Trustsec Regions - Cisco TrustSec Configuration Manual

Using Cisco TrustSec-Incapable Devices and Networks in a Cisco TrustSec Network
You must manually configure an SXP connection between a peer without Cisco TrustSec hardware
support and a peer with Cisco TrustSec hardware support. The following tasks are required when
configuring the SXP connection:
•
•
•
SXP allows multiple hops. That is, if the peer of a device lacking Cisco TrustSec hardware support also
lacks Cisco TrustSec hardware support, the second peer can have an SXP connection to a third peer,
continuing the propagation of the IP-to-SGT mapping information until a hardware-capable peer is
reached. A device can be configured as an SXP listener for one SXP connection as an SXP speaker for
another SXP connection.
A Cisco TrustSec device maintains connectivity with its SXP peers by using the TCP keepalive
mechanism. To establish or restore a peer connection, the device will repeatedly attempt the connection
setup using a configurable retry period until the connection is successful or until the connection is
removed from the configuration.

Layer 3 SGT Transport for Spanning Non-TrustSec Regions

When a packet leaves the Cisco TrustSec domain for a non-TrustSec destination, the egress Cisco
TrustSec device removes the Cisco TrustSec header and SGT before forwarding the packet to the outside
network. If, however, the packet is merely traversing a non-TrustSec domain on the path to another Cisco
TrustSec domain, as shown in
SGT Transport feature. In this feature, the egress Cisco TrustSec device encapsulates the packet with an
ESP header that includes a copy of the SGT. When the encapsulated packet arrives at the next Cisco
TrustSec domain, the ingress Cisco TrustSec device removes the ESP encapsulation and propagates the
packet with its SGT.
Cisco TrustSec Configuration Guide
1-14
If you require SXP data integrity and authentication, you must configure the same SXP password
on both peer devices. You can configure the SXP password either explicitly for each peer connection
or globally for the device. Although an SXP password is not required, we recommend its use.
You must configure each peer on the SXP connection as either an SXP speaker or an SXP listener.
The speaker device distributes the IP-to-SGT mapping information to the listener device.
You can specify a source IP address to use for each peer relationship or you can configure a default
source IP address for peer connections where you have not configured a specific source IP address.
If you do not specify any source IP address, the device will use the interface IP address of the
connection to the peer.
Figure 1-7, the SGT can be preserved by using the Cisco TrustSec Layer 3
Chapter 1 Cisco TrustSec Overview
OL-22192-01