cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1865
Views
0
Helpful
2
Replies
Highlighted
Beginner

Trustsec support on the Nexus 5K

TrustSec is offered as a supported solution on the Nexus 5K as per 6.3 system bulletin.

Recently unable to enable vlan enforcement on a Nexus 5596 due to the presence of a L3 module and associated routed SVI.  The model does not appear to support same level of integration with ISE as other platforms such as the ISR 4K.  IP to SGT maps can be configured locally but classification is only supported at the port level which seems more suited to physical servers as opposed to data centre switches supporting VMware deployments with trunked ports carrying multiple vlans.


Interested to hear others thoughts on trustsec enforcement at the data centre and suggested platform.  My understanding is Nexus 1000 is end of life, Nexus 9K is only supported when controlled through APIC_EM (not NX-OS) and the Nexus 5500 and 5600 offer similar levels of support for the feature.  The Nexus 7K is not an option for the client.


Also interested to hear others experiences/solutions running TrustSecon the Nexus 5K.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Trustsec support on the Nexus 5K

Was just going through the community questions and saw this didn't have a reply.

Sorry for the delay.

You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.

For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html

You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.

 

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: Trustsec support on the Nexus 5K

Was just going through the community questions and saw this didn't have a reply.

Sorry for the delay.

You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.

For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html

You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.

 

View solution in original post

Highlighted
Beginner

Re: Trustsec support on the Nexus 5K

Thanks for the reply jeaves@cisco.com, much appreciated.

 

We moved ahead with a trial of the Nexus 1000VE but unfortunately encountered compatibility issues with vcenter 6.7 in our lab environment.

 

VSM-N1000VE(config-svs-conn)# connect

ERROR:  [VMware vCenter Server 6.7.0 build-9433931] The version value : 5.0.0 is not valid in the productSpec.version.. A specified parameter was not correct: productSpec.version.

 

We were advised by product support to downgrade the lab to 6.5, this work is now underway and hope to able to test trustsec functionality of the virtual switch in the next 1-2 weeks.