06-20-2016 11:25 AM - edited 03-10-2019 11:52 PM
In the TrustSec 5.3 guide there is no mention of the N2K being in the compatability guide. Does this mean that the N2K does not support all of the TrustSec features and thus cant be used i a Secure DC soultion?
--
Grace and Peace,
Robert E Roulhac Jr
Virtual Systems Engineer II
Cisco TSN (Technical Solutions Network)
Office: 919.5745455
Solved! Go to Solution.
06-20-2016 05:51 PM
Hi Robert,
So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.
Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.
The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.
Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.
Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf for more information.
Mike Jessup
TrustSec TME
06-20-2016 12:26 PM
IP-SGT, Subnet-SGT, and VLAN-SGT are supported for FEX connected servers.
Port-SGT is not supported with FEX:
Port-SGT is not supported for FEX NIF ports
Port-SGT is not support for servers connected to FEX HIF ports.
Inline SGT tagging is not supported for devices connected to FEX ports
SGACL enforcement is supported for FEX connected devices. The SGACLs are downloaded to the SoC/ASIC which controls the ports where the FEX NIFs are connected.
06-20-2016 05:51 PM
Hi Robert,
So the Nexus 2K FEXs do support TrustSec. When attached to a Nexus 5500/5600/6000, the FEX port can be configured on the N5K/N6K with a static Port to SGT. When attached to a N5K/6K or even a N7K, there is no configuration required for the FEX Uplinks.
Here is one thing to remember, when attached to a N5K or an N6K the only classification is via Port SGT assignment. The N5K/N6K (and hence N2K attached to them) do not support IP-SGT, VLAN-SGT. Relative to what Keti said regarding NIF(Network Interface) ports, they do not need configuration as traffic will be tagged at the N5K/6K to which the FEX is attached. For HIF (Host) ports. The port is assigned an SGT and is configured on the N5K/N6K. Any traffic coming from that server will be tagged upon exiting the N5K or N6K.
The N5K/6K can enforce Trustsec policies for servers attached to the same FEX in the same VLAN.
Now if a N2K FEX is attached to a N7K, the N7K does NOT support a static SGT assignment on the FEX HIF port. In oreder to classify servers attached to a N2K FEX with an N7K as a parent, Static IP-SGT, Subnet-SGT (NX-OS 7.3 or later), or VLAN to SGT.
Please also refer to the TrustSec Data Center Segmentation Design Guide on CCO at http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf for more information.
Mike Jessup
TrustSec TME
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide