Solved: Re: Trustsec support on the Nexus 5K

shinnie1978 · ‎02-12-2018

TrustSec is offered as a supported solution on the Nexus 5K as per 6.3 system bulletin.

Recently unable to enable vlan enforcement on a Nexus 5596 due to the presence of a L3 module and associated routed SVI. The model does not appear to support same level of integration with ISE as other platforms such as the ISR 4K. IP to SGT maps can be configured locally but classification is only supported at the port level which seems more suited to physical servers as opposed to data centre switches supporting VMware deployments with trunked ports carrying multiple vlans.

Interested to hear others thoughts on trustsec enforcement at the data centre and suggested platform. My understanding is Nexus 1000 is end of life, Nexus 9K is only supported when controlled through APIC_EM (not NX-OS) and the Nexus 5500 and 5600 offer similar levels of support for the feature. The Nexus 7K is not an option for the client.

Also interested to hear others experiences/solutions running TrustSecon the Nexus 5K.

Thanks in advance.

jeaves@cisco.com · ‎12-24-2018

Was just going through the community questions and saw this didn't have a reply.

Sorry for the delay.

You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.

For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html

You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.

View solution in original post

jeaves@cisco.com · ‎12-24-2018

Was just going through the community questions and saw this didn't have a reply.

Sorry for the delay.

You're right, the N5k can only do Port:SGT classification. You can configure IP:SGT but that is just sent via SXP, it does not classify traffic using the IP:SGT entries. Having said that, there are many customers using the N5k for server traffic enforcement.

For virtualised environments, there is a next gen N1kve which is fully TrustSec capable:

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000ve/datasheet-c78-740916.html

You're also right that the N9k NX-OS does not support TrustSec yet (the HW supports it but no software has been written yet) and there is no commitment for it. As you stated, ACI with the APIC does support EPG<->SGT interworking.

shinnie1978 · ‎12-28-2018

Thanks for the reply jeaves@cisco.com, much appreciated.

We moved ahead with a trial of the Nexus 1000VE but unfortunately encountered compatibility issues with vcenter 6.7 in our lab environment.

VSM-N1000VE(config-svs-conn)# connect

ERROR: [VMware vCenter Server 6.7.0 build-9433931] The version value : 5.0.0 is not valid in the productSpec.version.. A specified parameter was not correct: productSpec.version.

We were advised by product support to downgrade the lab to 6.5, this work is now underway and hope to able to test trustsec functionality of the virtual switch in the next 1-2 weeks.