Zoning Requirement - Cisco MDS 9120 Manual

SME Security Overview

Zoning Requirement

Zoning requires internal virtual N ports that are created by SME in the default zone. The default zone
must be set to deny and these virtual N ports must not be zoned with any other host or target.
For information on zoning, refer to the Fabric Configuration Guide, Cisco DCNM for SAN and the Cisco
MDS 9000 Family NX-OS Fabric Configuration Guide.
FC-Redirect Requirements
FC-Redirect requirements include the following:
•
•
•
•
•
•
•
SME Security Overview
SME transparently encrypts and decrypts data inside the storage environment without slowing or
disrupting business critical applications.
In SME Tape, SME generates a master key, tape volume keys, and tape keys. The keys are encrypted in
a hierarchical order: the master key encrypts the tape volume keys and the tape keys.
In SME Disk, SME generates a master key and disk keys. The keys are encrypted in a hierarchical order:
the master key encrypts the disk keys.
The keys are also copied to the key catalog on the Cisco KMC server for backup and archival. Eventually
inactive keys are removed from the fabric, but they are retained in the Cisco KMC catalog. The keys can
be retrieved automatically from the Cisco KMC by the SME services in the fabric if needed again.
A single Cisco KMC can be used as a centralized key repository for multiple fabrics with SME services
if desired. Key catalog import and export capabilities are also provided to accommodate moving tape
media to different fabrics in environments with multiple Cisco KMC servers. Backup applications can
be used to archive the key catalogs for additional protection.
Note SME cluster can be configured either for SME Disk or for SME Tape. Both Tape and Disk configurations
cannot be configured under a same cluster. A cluster can be configured only for one of them.
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1-14
The MDS switch with the MSM-18/4 module installed or the MDS 9222i switch needs to be running
Cisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS Release 4.x or later.
The target must be connected to an MDS 95XX, 9216, or 9222i switch running Cisco MDS SAN-OS
Release 3.2(2c) or later, or Cisco NX-OS Release 4.x or later.
32 targets per MSM-18/4 module can be FC-redirected.
Each FC-redirected target can be zoned to 16 hosts or less.
CFS should be enabled on all required switches for FC-Redirect.
SME servers, disk targets, and tape devices should not be part of an IVR zone set.
Advanced zoning capabilities such as quality of service (QoS), logical unit number (LUN) zoning,
and read-only LUNs must not be used for FC-Redirect hosts and targets.
Chapter 1 Storage Media Encryption Overview
OL-29289-01