Cisco MDS 9120 Manual

Mds 9000 series
Hide thumbs Also See for MDS 9120:

Advertisement

Storage Media Encryption Overview
Encrypting storage media in the data center has become a critical issue. Numerous high profile incidents
of lost or stolen tape and disk devices have underscored the risk and exposure companies face when
sensitive information falls into the wrong hands. To satisfy the most demanding requirements, Cisco
MDS 9000 Family Storage Media Encryption (SME) for the Cisco MDS 9000 family switches offers a
highly scalable, reliable, and flexible solution that integrates encryption transparently as a fabric service
for Fibre Channel SANs.
This chapter provides an overview of the SME and the hardware and software requirements for the product.
It contains the following sections:
About SME
The SME solution is a comprehensive network-integrated encryption service with enterprise-class key
management that works transparently with existing and new SANs. The innovative Cisco
network-integrated solution has numerous advantages over competitive solutions available today:
When using SME, SSI images should not be loaded and installed on 18+4 cards and SSN-16. Also the
Note
bootvar should not be set to load these images
OL-29289-01
About SME, page 1-1
About MIBs, page 1-9
Software and Hardware Requirements, page 1-10
SME Prerequisites, page 1-13
SME Security Overview, page 1-14
SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, SME
does not require rewiring or SAN reconfiguration.
Encryption engines are integrated on the Cisco MDS 9000 18/4-Port Multiservice Module
(MSM-18/4), the Cisco MDS 9222i Multiservice Module Switch, and the 16-Port Gigabit Ethernet
Storage Services Node (SSN-16), which eliminates the need to purchase and manage extra switch
ports, cables, and appliances.
Traffic from any virtual SAN (VSAN) can be encrypted using SME, enabling flexible, automated
load balancing through network traffic management across multiple SANs.
No additional software is required for provisioning, key, and user role management; SME is
integrated into Cisco DCNM for SAN (DCNM-SAN), which reduces operating expenses.
Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide
1
C H A P T E R
1-1

Advertisement

Table of Contents
loading

Summary of Contents for Cisco MDS 9120

  • Page 1 To satisfy the most demanding requirements, Cisco MDS 9000 Family Storage Media Encryption (SME) for the Cisco MDS 9000 family switches offers a highly scalable, reliable, and flexible solution that integrates encryption transparently as a fabric service for Fibre Channel SANs.
  • Page 2 SME is a standards-based encryption solution for heterogeneous disks, tape libraries, and virtual tape libraries. SME is managed with Cisco DCNM-SAN and a command-line interface (CLI) for unified SAN management and security provisioning. SME includes the following comprehensive built-in key...
  • Page 3 About SME Transparent Fabric Service Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module, a MDS 9222i switch, or a SSN-16 module anywhere in the fabric. There are no appliances in-line in the data path and there is no SAN rewiring or reconfiguration.
  • Page 4: Key Management

    The Cisco KMC is either integrated or separated from DCNM-SAN depending on the deployment requirements. Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisite deployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that are used for fabric management.
  • Page 5 Storage Media Encryption Overview About SME A Cisco KMC is configured only in the primary data center and DCNM-SAN servers are installed in all the data centers to manage the local fabrics and provision SME. The SME provisioning is performed in each of the data centers and the tape devices and backup groups in each of the data centers are managed independently.
  • Page 6 About SME FC-Redirect SME performance can easily be scaled up by adding more Cisco MDS 9000 Family switches or modules. The innovative Fibre Channel redirect capabilities in Cisco MDS 9000 NX-OS enable traffic from any switch port to be encrypted without SAN reconfiguration or rewiring.
  • Page 7: Supported Topologies

    SME clusters include designated backup servers, tape libraries, and one or more MDS switches running Cisco SAN-OS Release 3.2(2c) or later or NX-OS 4.x or later. One cluster switch must include an MSM-18/4 module. With easy-to-use provisioning, traffic between any host and tape on the fabric can utilize the SME services.
  • Page 8 Single-Fabric Topology for Tape Figure 1-3 shows a single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module. The Cisco MSM-18/4 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR tape.
  • Page 9: About Mibs

    About MIBs Single-Fabric Topology for Disk A single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module, Cisco MDS 922i switch or SSN-16 module. The Cisco MSM-18/4 module, Cisco MDS 9222i switch or SSN-16 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR disk.
  • Page 10: Table Of Contents

    All MDS switches in the SME cluster must be running the current release of Cisco SAN-OS Release 3.2(2c) or later, or Cisco NX-OS 4.x or later software for SME Tape. Cisco NX-OS Release 5.2(1) or later software is required for SME Disk. The software requirements include the following: DCNM-SAN must be running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x...
  • Page 11: Cisco Mds 9000 Family 18/4-Port Multiservice Module

    The Cisco MDS 9222i Multiservice Modular switch includes an integrated supervisor module (in slot 1) that provides the control and management functions of the Cisco MDS 9222i switch and it provides an 18-Port Fibre Channel switching and 4-Port Gigabit Ethernet IP services module. The Cisco MDS 9222i built-in supervisor module provides multiple communication and control paths to avoid a single point of failure.
  • Page 12: Cisco Mds 16-Port Storage Services Node

    MDS 9222i Multiservice Modular switch. Each of the four service engines supports four Gigabit Ethernet IP storage services ports for a total of 16 ports of Fibre Channel over IP (FCIP) connectivity. The traffic can be switched between an IP port and any Fibre Channel port on Cisco MDS 9000 Family switches.
  • Page 13: Smart Card Readers

    Chapter 1 Storage Media Encryption Overview SME Prerequisites In Cisco MDS NX-OS Release 6.2(1), FC-Redirect is not supported on the Cisco MDS 9710 switch. Note SME does not support any FCoE connected devices including devices connected through the MDS FCoE Note linecard (DS-X9708-K9).
  • Page 14: Zoning Requirement

    The keys are also copied to the key catalog on the Cisco KMC server for backup and archival. Eventually inactive keys are removed from the fabric, but they are retained in the Cisco KMC catalog. The keys can be retrieved automatically from the Cisco KMC by the SME services in the fabric if needed again.
  • Page 15: Additional Security Capabilities

    SME Security Overview Additional Security Capabilities Additional security capabilities offered by Cisco NX-OS complete the SME solution. For example, RADIUS and TACACS+ servers can be used to authenticate, authorize, and provide accounting (AAA) for SME administrators. Management of SME can be limited to authorized administrators using role-based access controls (RBACs).
  • Page 16 Chapter 1 Storage Media Encryption Overview SME Security Overview Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide 1-16 OL-29289-01...

This manual is also suitable for:

Mds 9134Mds 9124Mds 9020Mds 9140 - fabric switch

Table of Contents