https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572506#M493093 <HTML><HEAD></HEAD><BODY><P>Hi Robert,</P><P></P><P>So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.</P><P></P><P>Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.</P><P></P><P>The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.</P><P></P><P>Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.</P><P></P><P>Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at <A href="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf" title="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf">http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf <SPAN style="color: #000000;">for more information.</SPAN></A></P><P></P><P>Mike Jessup</P><P>TrustSec TME</P></BODY></HTML> Tue, 21 Jun 2016 00:51:34 GMT mjessup 2016-06-21T00:51:34Z https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572504#M493079 <HTML><HEAD></HEAD><BODY><P>In the TrustSec 5.3 guide there is no mention of the N2K being in the compatability guide. Does this mean that the N2K does not support all of the TrustSec features and thus cant be used i a Secure DC soultion?</P><P></P><P>-- </P><P></P><P>Grace and Peace,</P><P></P><P>Robert E Roulhac Jr</P><P>Virtual Systems Engineer II</P><P>Cisco TSN (Technical Solutions Network)</P><P><A class="jive-link-email-small" href="mailto:rroulhac@cisco.com" target="_blank">rroulhac@cisco.com</A></P><P>Office: 919.5745455</P></BODY></HTML> Mon, 11 Mar 2019 06:52:38 GMT https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572504#M493079 rroulhac 2019-03-11T06:52:38Z https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572505#M493087 <HTML><HEAD></HEAD><BODY><P>IP-SGT, Subnet-SGT, and VLAN-SGT are supported for FEX connected servers.</P><P>Port-SGT is not supported with FEX:</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port-SGT is not supported for FEX NIF ports</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Port-SGT is not support for servers connected to FEX HIF ports.</P><P></P><P>Inline SGT tagging is not supported for devices connected to FEX ports</P><P>SGACL enforcement is supported for FEX connected devices.&nbsp; The SGACLs are downloaded to the SoC/ASIC which controls the ports where the FEX NIFs are connected.</P></BODY></HTML> Mon, 20 Jun 2016 19:26:15 GMT https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572505#M493087 kilcreas 2016-06-20T19:26:15Z https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572506#M493093 <HTML><HEAD></HEAD><BODY><P>Hi Robert,</P><P></P><P>So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.</P><P></P><P>Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.</P><P></P><P>The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.</P><P></P><P>Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.</P><P></P><P>Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at <A href="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf" title="http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf">http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf <SPAN style="color: #000000;">for more information.</SPAN></A></P><P></P><P>Mike Jessup</P><P>TrustSec TME</P></BODY></HTML> Tue, 21 Jun 2016 00:51:34 GMT https://community.cisco.com/t5/network-access-control/n2k-used-in-trustsec-solution/m-p/3572506#M493093 mjessup 2016-06-21T00:51:34Z