Which statement about the implementation of Cisco TrustSec on Cisco Nexus 7000 Series Switches is true?
A . While SGACL enforcement and SGT propagation are supported on the M and F modules, 802.1AE (MACsec) support is available only on the M module.
B . SGT Exchange Protocol is required to propagate the SGTs across F modules that lack hardware support for Cisco TrustSec.
C . AAA authentication and authorization is supported using TACACS or RADIUS to a Cisco Secure Access Control Server.
D . Both Cisco TrustSec and 802.1X can be configured on an F or M module interface.
Answer: A
Explanation:
The M -Series modules on the Nexus 7000 support 802.1AE MACSEC on all ports, including the new M2series modules. The F2e modules will have this feature enabled in the future. It is important to note that because 802.1AE MACSEC is a link-level encryption, the two MACSEC-enabled endpoints, Nexus 7000 devices in our case, must be directly L2 adjacent. This means we direct fiber connection or one facilitated with optical gear is required. MACSEC has integrity checks for the frames and intermediate devices, like another switch, even at L2, will cause the integrity checks to fail. In most cases, this means metro-Ethernet services or carrier-provided label switched services will not work for a MACSEC connection.
http://www.ciscopress.com/articles/article.asp?p=2065720
Leave a Reply