Solved: Re: Nexus N5K-C5010 encrypted port purpose

nocsertech · ‎04-21-2018

Hi all,

I am new to Nexus. I couldn't find any information about encrypted port (port 33 - 40) as mention in Nexus 5020 hardware installation guide. Hope to get help from the community

I would like to know what is the purpose of encrypted port and how it different from non encrypted port

I have mix environment of below. I need recommendation which port of N5k-C5020 suitable for which type of switch and devices.

For Top of rack access:

3 x FEX

2 x N3k-3048TP

2 x WS-4948-10G

2 x WS-C4948

For router uplink:

2 x server running vyos.

Thank you for help in advance.

sbhadrav@cisco.com · ‎04-24-2018

Regarding the text in the document you referred to, what was meant is that those ports marked as "encrypted ports" (17-20) would support encryption on hardware, so they would have electronics associated to help with the encrypting function.

It seems that the referred feature did not go beyond that, ie, an intended feature.

* CTS, or Cisco Trustsec, is a security framework that is comprised of several components and present several features, one of which is the hop-by-hop, hardware supported encryption, also know as MACsec, or LinkSec encryption, or 802.1ae.

Now, Nexus 5000 Series Switches do NOT support CTS, while Nexus 5500 family does (even though it does NOT support MACsec!)

See, for instance, "Guidelines and Limitations for Cisco TrustSec", in "Cisco Trustsec" section here: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/521_n1_1/b_5k_Security_Config_521N11_chapter_0111.html#con_1188939

* The following table summarizes the features supported by TrustSec by Platform. There you can see that MACsec is NOT supported by N5K: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Another related document, which also explains what Cisco TrustSec is At-A-Glance, you can find here:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/at_a_glance_c45-653057.pdf

* Finally, just in case, Nexus 5010 and 5020 have End-of-Sale dated November 27, 2012. You can see the announcement here: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/eol_c51-709037.html

View solution in original post

Kirk J · ‎04-22-2018

Greetings.

I would hope this is not going into a production environment as the 5010/5020 are no longer supported as of Nov of 2017, which means you can not open a TAC case or re-add them to a support contract.

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/eol_c51-709037.html

5000 series limits: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration_limits/limits_521/nexus_5000_config_limits_521.html#52991

Config guide, fex section: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_010000.html

Overall 5000 Models and features: https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5020-switch/product_bulletin_c25-462134.html

As far as I know, trust sec and Mac Sec are only supported on N5500, and not 5010/5020 models. I'm not sure the designated port-encryption was functional on the 5010/5020 models. You should be able to use those ports for regular Ethernet traffic.

All the 5010/5020 ports can run at 10Gb, with appropriate SFP , and depending on expansion modules you have present, you can have FCOE or native FC ports.

Thanks,

Kirk...

nocsertech · ‎04-23-2018

Hi Thank you for your reply.

If you refer to link below, it stated the 8 ports are encrypted port. I would like to know how it different from others port.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/hw/installation/guide/nexus_5000_hig/overview5500.html#60491

sbhadrav@cisco.com · ‎04-24-2018

Regarding the text in the document you referred to, what was meant is that those ports marked as "encrypted ports" (17-20) would support encryption on hardware, so they would have electronics associated to help with the encrypting function.

It seems that the referred feature did not go beyond that, ie, an intended feature.

* CTS, or Cisco Trustsec, is a security framework that is comprised of several components and present several features, one of which is the hop-by-hop, hardware supported encryption, also know as MACsec, or LinkSec encryption, or 802.1ae.

Now, Nexus 5000 Series Switches do NOT support CTS, while Nexus 5500 family does (even though it does NOT support MACsec!)

See, for instance, "Guidelines and Limitations for Cisco TrustSec", in "Cisco Trustsec" section here: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/security/521_n1_1/b_5k_Security_Config_521N11_chapter_0111.html#con_1188939

* The following table summarizes the features supported by TrustSec by Platform. There you can see that MACsec is NOT supported by N5K: http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

Another related document, which also explains what Cisco TrustSec is At-A-Glance, you can find here:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/at_a_glance_c45-653057.pdf

* Finally, just in case, Nexus 5010 and 5020 have End-of-Sale dated November 27, 2012. You can see the announcement here: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/eol_c51-709037.html

nocsertech · ‎04-26-2018

Thank you for your reply.