02-12-2018 02:53 AM - edited 03-11-2019 01:21 AM
TrustSec is offered as a supported solution on the Nexus 5K as per 6.3 system bulletin.
Recently unable to enable vlan enforcement on a Nexus 5596 due to the presence of a L3 module and associated routed SVI. The model does not appear to support same level of integration with ISE as other platforms such as the ISR 4K. IP to SGT maps can be configured locally but classification is only supported at the port level which seems more suited to physical servers as opposed to data centre switches supporting VMware deployments with trunked ports carrying multiple vlans.
Interested to hear others thoughts on trustsec enforcement at the data centre and suggested platform. My understanding is Nexus 1000 is end of life, Nexus 9K is only supported when controlled through APIC_EM (not NX-OS) and the Nexus 5500 and 5600 offer similar levels of support for the feature. The Nexus 7K is not an option for the client.
Also interested to hear others experiences/solutions running TrustSecon the Nexus 5K.
Thanks in advance.
Solved! Go to Solution.
12-24-2018 05:31 AM
Was just going through the community questions and saw this didn't have a reply.
Sorry for the delay.
You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.
For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html
You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.
12-24-2018 05:31 AM
Was just going through the community questions and saw this didn't have a reply.
Sorry for the delay.
You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.
For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html
You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.
12-28-2018 03:38 AM
Thanks for the reply jeaves@cisco.com, much appreciated.
We moved ahead with a trial of the Nexus 1000VE but unfortunately encountered compatibility issues with vcenter 6.7 in our lab environment.
VSM-N1000VE(config-svs-conn)# connect
ERROR: [VMware vCenter Server 6.7.0 build-9433931] The version value : 5.0.0 is not valid in the productSpec.version.. A specified parameter was not correct: productSpec.version.
We were advised by product support to downgrade the lab to 6.5, this work is now underway and hope to able to test trustsec functionality of the virtual switch in the next 1-2 weeks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide