Cisco MDS 9000 Series Configuration Manual page 229

Configuring FC-SP and DHCHAP
\
This chapter includes the following sections:
•
•
•
•
About Fabric Authentication
Fibre Channel Security Protocol (FC-SP) capabilities provide switch-switch and host-switch authentication
to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake
Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco MDS
9000 Family switches and other devices. DHCHAP consists of the CHAP protocol combined with the
Diffie-Hellman exchange.
Note Cisco NX-OS Release 6.2(1) does not support the Fibre Channel Security Protocol (FC-SP) feature only on
Cisco MDS 9710. Support for FC-SP on Cisco MDS 9710 begins in Cisco NX-OS Release 6.2(9).
To authenticate through VFC ports, FC-SP peers use the port VSAN for communication. Hence, the port
VSAN needs to be the same and active on both the peers to send and receive authentication messages.
All switches in the Cisco MDS 9000 Family enable fabric-wide authentication from one switch to another
switch, or from a switch to a host. These switch and host authentications are performed locally or remotely
in each fabric. As storage islands are consolidated and migrated to enterprise-wide fabrics new security
challenges arise. The approach of securing storage islands cannot always be guaranteed in enterprise-wide
fabrics.
For example, in a campus environment with geographically distributed switches someone could maliciously
interconnect incompatible switches or you could accidentally do so, resulting in Inter-Switch Link (ISL)
isolation and link disruption. This need for physical security is addressed by switches in the Cisco MDS 9000
Family (see
About Fabric Authentication, on page 211
DHCHAP, on page 212
Sample Configuration, on page 222
Default Settings, on page 223
Figure 18: Switch and Host Authentication, on page 212
C H A P T E R
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
10
).
211