View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0063 - ISE 1.1 Security Group Access (SGA) with ASA 9.1 TrustSec (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0062-63 - Video Download $10.00
Purchase SEC0062-63 - Video Download $10.00

 
The video demonstrates Cisco TrustSec support on Cisco ASA 9.1 with Cisco ISE. This lab is based on a 3750 switch that is not TrustSec hardware-capable but able to communicate IP-to-SGT mapping via SGT Exchange Protocol (SXP) to the ASA. We will be constructing an ACL based on SGT using the new Security object group. Cisco ISE will be mainly used to provide user authentication, SGT assignment, and the SGT-to-Name mapping to the ASA, although we will go over the remaining web interfaces for Security Group Access (SGA) and what you would need to configure to support the complete TrustSec implementation.

In part 2, we will configure SXP communication between switch and ASA, and integrate the ASA with Cisco ISE to download the SGT-to-Name mapping table. We will then construct an ACL on the ASA and perform testing.

Topic:

  • Security Group Access (SGA)
  • Security Group ACL (SGACL)
  • Security Group Tag (SGT)
  • SGT Exchange Protocol (SXP)
  • SGT-to-Name Mapping
  • Cisco TrustSec support on ASA 9.1
  • SXP Config on a Switch and ASA
  • Security object Group

Notes:

  • SXP uses TCP 64999 so can work multiple hop

Reference:

Cisco TrustSec

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

Lab Minutes Classifieds