Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption 發佈版本通知

Configuring SGT-to-IP address role-based mapping manually

Security groups in an access control entry to leverage SGT-to-IP mapping

Security object group

In the example below, only IP addresses that belong to the Security Group “Engineering” are allowed to 
access EPG App, while denying all other Security Groups.

The PAC file from the ISE will need to be imported as part of pre-provisioning. Refreshing the 
environment data from the ISE will need to be done out-of-band. 

For details about Configuring the ASA to Integrate with Cisco TrustSec, see: 

http://www.cisco.com/

c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_trustsec.pdf

Cisco Application Centric Infrastructure (ACI) does not have native support of the Security-group 
eXchange Protocol (SXP). Therefore, in order to use TrustSec in ASA for ACI, you must have an 
SXP-capable switch. 

Cisco ACI is a distributed, scalable, multi-tenant infrastructure with external end-point connectivity 
controlled and grouped through application-centric policies. SXP is the protocol used to propagate the 
IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support. 
The Cisco Application Policy Infrastructure Controller (APIC) is a unified point of automation, 
management, monitoring, and programmability for the Cisco ACI. 

To use TrustSec in ASA for ACI, changes to your network topology might be required. For details about 
the required topology and configuration examples, see the Cisco listing page shown below. This 
information will be available by March 14, 2016.