Table of Contents
Advertisement
Chapter 19
Configuring Fabric Security
•
•
•
•
•
Configuring DHCHAP Authentication
To configure DHCHAP authentication using the local password database, follow these steps:
Enable DHCHAP.
Step 1
Identify and configure the DHCHAP authentication modes.
Step 2
Configure the hash algorithm and DH group.
Step 3
Configure the password for the local switch and other switches in the fabric.
Step 4
Step 5
Configure the timeout value for reauthentication.
Step 6
Verify the DHCHAP configuration.
Enabling DHCHAP
By default, the DHCHAP feature is disabled in all switches in the Cisco MDS 9000 Family.
You must explicitly enable the DHCHAP feature to access the configuration and verification commands
for fabric authentication. When you disable this feature, all related configurations are automatically
discarded.
Configuring DHCHAP Authentication Modes
The DHCHAP authentication status for each interface depends on the configured DHCHAP port mode.
When the DHCHAP feature is enabled in a switch, each Fibre Channel interface or FCIP interface may
be configured to be in one of four DHCHAP port modes:
•
•
•
OL-7753-01
PortChannel interfaces—If DHCHAP is enabled for ports belonging to a PortChannel, DHCHAP
authentication is performed at the physical interface level, not at the PortChannel level.
FCIP interfaces—The DHCHAP protocol works with FCIP interface just as it would with a physical
interface.
Port security or fabric binding—Fabric binding policies are enforced based on identities
authenticated by DHCHAP.
VSANs—DHCHAP authentication is not done on per-VSAN basis.
High availability--DHCHAP authentication works transparently with existing HA features.
On—During switch initialization if the connecting device supports DHCHAP authentication, the
software performs the authentication sequence. If the connecting device does not support DHCHAP
authentication, the software moves the link to an isolated state.
Auto-Active—During switch initialization if the connecting device supports DHCHAP
authentication, the software performs the authentication sequence. If the connecting device does not
support DHCHAP authentication, the software continues with the rest of the initialization sequence.
Auto-Passive (default)—The switch does not initiate DHCHAP authentication, but participates in
DHCHAP authentication if the connecting device initiates DHCHAP authentication.
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
Configuring DHCHAP Authentication
19-3
Advertisement
Chapters
Table of Contents
Troubleshooting
