Configuring Fabric Security
Fibre Channel Security Protocol (FC-SP) capabilities in SAN-OS 1.3(x) provides switch-switch and
host-switch authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman
Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol implemented in
SAN-OS1.3(x) to provide authentication between Cisco MDS switches and other devices. It consists of
the CHAP protocol combined with the Diffie-Hellman exchange.
This chapter contains the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
About Fabric Authentication
All switches in the Cisco MDS 9000 Family enable fabric-wide authentication from one switch to
another switch, or from a switch to a host. These switches and hosts authentications are performed
locally or remotely in each fabric. As storage islands are consolidated and migrated to enterprise-wide
fabrics new security challenges arise. The approach of securing storage islands, cannot always be
guaranteed in enterprise-wide fabrics. For example, in a campus environment with geographically
distributed switches someone could maliciously interconnect incompatible switches or you could
accidentally do so, resulting in inter-switch link (ISL) isolation and link disruption. This need for
physical security is addressed by switches in the Cisco MDS 9000 Family.
OL-7753-01
About Fabric Authentication, page 19-1
C H A P T E R
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
19
19-1