VRF-Aware SXP
The Security Group Tag (SGT) Exchange Protocol (SXP) implementation of Virtual Routing and Forwarding (VRF) binds an SXP connection with a specific VRF. It is assumed that the network topology is correctly configured for Layer 2 or Layer 3 VPNs, with all VRFs configured before enabling Cisco TrustSec.
SXP VRF support can be summarized as follows:
-
Only one SXP connection can be bound to one VRF.
-
Different VRFs may have overlapping SXP peer or source IP addresses.
-
IP–SGT mappings learned (added or deleted) in one VRF can be updated only in the same VRF domain. The SXP connection cannot update a mapping bound to a different VRF. If no SXP connection exits for a VRF, IP–SGT mappings for that VRF won’t be updated by SXP.
-
Multiple address families per VRF is supported. Therefore, one SXP connection in a VRF domain can forward both IPV4 and IPV6 IP-SGT mappings.
-
SXP has no limitation on the number of connections and number of IP–SGT mappings per VRF.