{"id":2868,"date":"2026-01-16T23:08:00","date_gmt":"2026-01-16T23:08:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2868"},"modified":"2026-02-05T19:20:33","modified_gmt":"2026-02-05T19:20:33","slug":"87-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2868","title":{"rendered":"87 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

ISE – SGT, and SXP<\/mark><\/h2>\n\n\n\n

In the world of modern networking, the old-school method of relying solely on IP addresses and VLANs for security is becoming obsolete. As users move between offices, use multiple devices, and access cloud resources, managing thousands of Access Control Lists (ACLs) becomes a nightmare.<\/p>\n\n\n\n

This is where Cisco TrustSec<\/strong> steps in, transforming how we enforce policy through Scalable Group Tags (SGTs)<\/strong> and the SGT Exchange Protocol (SXP)<\/strong>.<\/p>\n\n\n\n

The Core Concepts<\/mark><\/h2>\n\n\n\n

To understand the solution, we need to break down the three pillars:<\/p>\n\n\n\n

    \n
  • ISE (Identity Services Engine):<\/strong>\u00a0The “Brain” of the operation. It authenticates users and devices, assigning them a specific role based on context (Who, What, Where, and How).<\/li>\n\n\n\n
  • SGT (Scalable Group Tag):<\/strong>\u00a0A 16-bit value inserted into the Ethernet frame. Instead of saying “IP 10.1.1.5 is blocked,” we say “The\u00a0SGT: Finance<\/strong>\u00a0is blocked from accessing\u00a0SGT: HR<\/strong>.” Security is now based on\u00a0Identity<\/strong>, not location.<\/li>\n\n\n\n
  • SXP (SGT Exchange Protocol):<\/strong>\u00a0Not all hardware can read SGT tags in the hardware (ASIC) level. SXP is a control-plane protocol that “speaks” for these older or incompatible devices, carrying the IP-to-SGT mappings across the network so policy can still be enforced.<\/li>\n<\/ul>\n\n\n\n
    \n\n\n\n

    How They Work Together<\/mark><\/h2>\n\n\n\n
      \n
    1. Authentication:<\/strong>\u00a0A user logs into the network via a switch or WLC.<\/li>\n\n\n\n
    2. Classification:<\/strong>\u00a0ISE authenticates the user and pushes an\u00a0SGT<\/strong>\u00a0(e.g., Tag 10) to the NAD (Network Access Device).<\/li>\n\n\n\n
    3. Propagation:<\/strong>\u00a0The switch tags the traffic. If the path to the destination involves “non-TrustSec” devices,\u00a0SXP<\/strong>\u00a0creates a TCP tunnel to share the IP-to-SGT binding with the next “TrustSec-aware” hop.<\/li>\n\n\n\n
    4. Enforcement:<\/strong>\u00a0At the egress point (closest to the resource), the device checks the\u00a0Security Group ACL (SGACL)<\/strong>\u00a0and decides whether to permit or deny the traffic based on the source and destination tags.<\/li>\n<\/ol>\n\n\n\n
      \n\n\n\n

      Use Case: The “Guest vs. Employee” Conflict<\/mark><\/h2>\n\n\n\n

      Imagine a hospital environment. Doctors need access to Patient Records, while Guests only need Internet access. Both are connected to the same physical switch.<\/p>\n\n\n\n

        \n
      • Without SGTs:<\/strong>\u00a0You would need complex VRFs or hundreds of lines of ACLs updated every time a subnet changes.<\/li>\n\n\n\n
      • With SGTs:<\/strong>\u00a0ISE identifies the Doctor and assigns\u00a0SGT 5<\/strong>. It identifies the Guest and assigns\u00a0SGT 15<\/strong>. A single policy is written:\u00a0Source SGT 15 to Destination SGT 5 = DENY<\/code>. It doesn’t matter which floor they are on or what their IP address is; the policy follows the identity.<\/li>\n<\/ul>\n\n\n\n
        \n\n\n\n

        Advantages of Using SXP and SGT<\/mark><\/h2>\n\n\n\n
        Feature<\/th>Benefit<\/th><\/tr>
        Topology Independence<\/strong><\/td>Policies are decoupled from IP subnets and VLANs.<\/td><\/tr>
        Reduced Complexity<\/strong><\/td>Replaces thousands of lines of traditional ACLs with a simple matrix.<\/td><\/tr>
        Scalability<\/strong><\/td>Adding a new branch doesn’t require updating ACLs at the Data Centre.<\/td><\/tr>
        Legacy Support<\/strong><\/td>SXP<\/strong> allows you to implement modern security even on older hardware that doesn’t support inline tagging.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
        \n\n\n\n

        Sample Configuration (CLI)<\/mark><\/h2>\n\n\n\n

        Below is a simplified look at how you enable SXP and define a local SGT mapping on a Cisco IOS-XE switch.<\/p>\n\n\n\n

        1. Enable SXP and define a Peering (e.g., with ISE):<\/strong><\/p>\n\n\n\n

        # Enable SXP globally<\/em>\ncts sxp enable\n\n# Configure the connection to ISE (the SXP Speaker)<\/em>\ncts sxp default source-ip 192.168.10.1\ncts sxp connection peer 192.168.10.100 password default mode local speaker\n<\/code><\/pre>\n\n\n\n
        2. Manual IP-to-SGT Mapping (for static resources like Servers):<\/strong><\/p>\n\n\n\n
        # Assign SGT 10 to a specific server IP<\/em>\ncts role-based identity-map static sgt 10 address 10.1.1.50\n<\/code><\/pre>\n\n\n\n
        3. Applying an SGACL (Enforcement):<\/strong><\/p>\n\n\n\n
        # Traffic from SGT 15 (Guest) to SGT 10 (Server)<\/em>\nip access-list role-based BLOCK_GUEST\n deny ip\n\n# Apply the policy<\/em>\ncts role-based permissions from 15 to 10 ipv4 BLOCK_GUEST\n<\/code><\/pre>\n\n\n\n
        Summary<\/mark><\/h2>\n\n\n\n
        The combination of ISE, SGT, and SXP<\/strong> moves security from a “network-centric” model to an “identity-centric” model. It simplifies administration, reduces the risk of human error in ACL management, and ensures that security policies remain consistent regardless of how the network grows.<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        Happy Labingggggggggggggggggggggggg!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
        ISE – SGT, and SXP In the world of modern networking, the old-school method of relying solely on IP addresses and VLANs for security is becoming obsolete. As users move between offices, use multiple devices, and access cloud resources, managing thousands of Access Control Lists (ACLs) becomes a nightmare. This is where Cisco TrustSec steps in, transforming […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2,6],"tags":[],"class_list":["post-2868","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco","category-security"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2868"}],"version-history":[{"count":2,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2868\/revisions"}],"predecessor-version":[{"id":2871,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2868\/revisions\/2871"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}