1-6
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring the ASA to Integrate with Cisco TrustSec
  Information About the ASA Integrated with Cisco TrustSec
When configuring an SXP connection on the ASA to an SXP peer, you must designate the ASA as a 
Speaker or a Listener for that connection so that it can exchange identity information:
• Speaker mode—configures the ASA so that it can forward all active IP-SGT mappings collected on 
the ASA to upstream devices for policy enforcement.
• Listener mode—configures the ASA so that it can receive IP-SGT mappings from downstream 
devices (SGT-capable switches) and use that information in creating policy definitions.
If one end of an SXP connection is configured as Speaker, then the other end must be configured as a 
Listener, and vice versa. If both devices on each end of an SXP connection are configured with the same 
role (either both as Speakers or both as Listeners), the SXP connection will fail and the ASA will 
generate a system log message.
Configuring the ASA to be both a Speaker and a Listener for an SXP connection can cause SXP looping, 
meanings that SXP data can be received by an SXP peer that originally transmitted it. 
As part of configuring SXP on the ASA, you configure an SXP reconcile timer. After an SXP peer 
terminates its SXP connection, the ASA starts a hold down timer. Only SXP peers designated as Listener 
devices can terminate a connection. If an SXP peer connects while the hold down timer is running, the 
ASA starts the reconcile timer; then, the ASA updates the IP-SGT mapping database to learn the latest 
mappings. 
Features of the ASA-Cisco TrustSec Integration
The ASA leverages Cisco TrustSec as part of its identity-based firewall feature. The integrating the ASA 
with Cisco TrustSec provides the following key features.
Flexibility
• The ASA can be configured as an SXP Speaker or Listener, or both.
See About Speaker and Listener Roles on the ASA, page 1-5. 
• The ASA supports SXP for IPv6 and IPv6 capable network devices. 
• The ASA negotiates SXP versions with different SXP-capable network devices. SXP version 
negotiation eliminates the need for static configuration of versions. 
• You can configure the ASA to refresh the security group table when the SXP reconcile timer expires 
and you can download the security group table on demand. When the security group table on the 
ASA is updated from the ISE, changes are reflected in the appropriate security policies.
• The ASA supports security policies based on security group names in the source or destination 
fields, or both. You can configure security policies on the ASA based on combinations of security 
groups, IP address, Active Directory group/user name, and FQDN.
Availability
• You can configure security group based policies on the ASA in Active/Active and Active/Standby 
configuration.
• The ASA can communicate with the ISE configured for high availability (HA). 
• If the PAC file downloaded from the ISE expires on the ASA and the ASA cannot download an 
updated security group table, the ASA continues to enforce security policies based on the last 
downloaded security group table until the ASA downloads an updated table.
Scalability
The ASA supports the following number of IP-SGT mapped entries: