Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
0
Helpful
2
Replies

N2K used in TrustSec Solution

Go to solution
rroulhac
Cisco Employee
Cisco Employee

‎06-20-2016 11:25 AM - edited ‎03-10-2019 11:52 PM

In the TrustSec 5.3 guide there is no mention of the N2K being in the compatability guide. Does this mean that the N2K does not support all of the TrustSec features and thus cant be used i a Secure DC soultion?

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎06-20-2016 05:51 PM

Hi Robert,

So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.

Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.

The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.

Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.

Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf for more information.

Mike Jessup

TrustSec TME

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kilcreas
Cisco Employee
Cisco Employee

‎06-20-2016 12:26 PM

IP-SGT, Subnet-SGT, and VLAN-SGT are supported for FEX connected servers.

Port-SGT is not supported with FEX:

            Port-SGT is not supported for FEX NIF ports

            Port-SGT is not support for servers connected to FEX HIF ports.

Inline SGT tagging is not supported for devices connected to FEX ports

SGACL enforcement is supported for FEX connected devices.  The SGACLs are downloaded to the SoC/ASIC which controls the ports where the FEX NIFs are connected.

0 Helpful

Go to solution
mjessup
Cisco Employee
Cisco Employee

‎06-20-2016 05:51 PM

Hi Robert,

So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.

Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.

The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.

Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.

Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf for more information.

Mike Jessup

TrustSec TME

0 Helpful
Customers Also Viewed These Support Documents