Table of Contents
Advertisement
Chapter 19
Configuring Fabric Security
•
•
We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to
use local password database, you can continue to do so using Approach 3 and using the Cisco MDS 9000
Family Fabric Manager to manage the password database. Refer to the Cisco MDS 9000 Family Fabric
Manager User Guide for further information.
All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted.
Configuring Passwords for Other Devices
You can configure passwords in the local authentication database for other devices in a fabric. The other
devices are identified by their device name, which is also know as the switch WWN or device WWN.
The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7).
The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is
different from the VSAN node WWN.
Configuring the DHCHAP Timeout Value
During the DHCHAP protocol exchange if the MDS switch does not receive the expected DHCHAP
message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no
authentication is performed) to 1000 seconds. The default is 30 seconds.
When changing the timeout value consider the following factors:
•
•
Default Fabric Security Settings
Table 19-2
Table 19-2
Parameters
DHCHAP feature
DHCHAP hash algorithm
DHCHAP authentication mode
OL-7753-01
Approach 2—Use a different password for each switch and maintain that password list in each
switch in the fabric--when you add a new switch, you create a new password list and update all
switches with the new list. Accessing one switch yields the password list for all switches in that
fabric.
Approach 3—Use different passwords for different switches in the fabric--when you add a new
switch, multiple new passwords corresponding to each switch in the fabric must be generated and
configured in each switch. Even if one switch is compromised, the password of other switches are
still protected. This approach requires considerable password maintenance by the user.
The existing RADIUS and TACACS+ timeout values.
The same value must also be configured all switches in the fabric.
lists the default settings for all fabric security features in any switch.
Default Fabric Security Settings
Configuring Passwords for Other Devices
Default
Disabled.
A priority list of MD-5 followed by SHA-1 for
DHCHAP authentication
auto-passive.
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
19-5
Advertisement
Chapters
Table of Contents
Troubleshooting
