Cisco MDS 9000 Series Configuration Manual page 282

About Cisco TrustSec FC Link Encryption
The Cisco TrustSec FC Link Encryption feature supports the 128-bit AES for security encryption and enables
either AES-GCM or AES-GMAC for an interface. The AES-GCM mode provides encryption and authentication
of the frames and AES-GMAC provides only the authentication of the frames that are being passed between
the two peers.
About Cisco TrustSec FC Link Encryption
Cisco TrustSec FC Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature
and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption
is now added to the peer authentication capability to provide security and prevent unwanted traffic interception.
Peer authentication is implemented according to the FC-SP standard using the Diffie-Hellman Challenge
Handshake Authentication Protocol (DHCHAP) protocol.
Note
Cisco TrustSec FC Link Encryption is currently only supported between Cisco MDS switches. This feature
is not supported when you downgrade to software versions which do not have the Encapsulating Security
Protocol (ESP) support.
This section includes the following topics:
Supported Modules
The following modules are supported for the Cisco TrustSec FC Link Encryption feature:
• 2/4/8/10/16 Gbps 48-ports Advanced Fibre Channel module (DS-X9448-768K9)
• 32-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9232-256K9)
• 48-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9248-256K9)
• 1/2/4/8 Gbps 24-Port Fibre Channel switching module (DS-X9224-96K9)
• 1/2/4/8 Gbps 48-Port Fibre Channel switching module (DS-X9248-96K9)
• 1/2/4/8 Gbps 4/44-Port Fibre Channel switching module (DS-X9248-48K9)
• 2/4/8/10/16 Gbps 96-ports Fibre Channel Switching Module (DS-C9396S-K9)
• 24/10 port SAN Extension module (DS-X9334-K9)
• 48 port 32 Gbps Fibre Channel Switching Module (DS-X9648-1536K9)—support for Cisco TrustSec
• Cisco MDS 9132T Fibre Channel Switch—support for Cisco TrustSec FC Link Encryption is available
• Cisco MDS 9148T Fibre Channel Switch—support for Cisco TrustSec FC Link Encryption is available
• Cisco MDS 9396T Fibre Channel Switch—support for Cisco TrustSec FC Link Encryption is available
Enabling Cisco TrustSec FC Link Encryption
By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches
in the Cisco MDS 9000 Family.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
264
FC Link Encryption is available only on ports 9-12, 25-28 and 41-44.
only on ports 9-12, 25-28.
only on ports 9-12, 25-28 and 41-44.
only on 9-12, 25-28, 41-44 base ports, and 57-60, 73-76 and 89-92 LEM ports as applicable.
Configuring Cisco TrustSec Fibre Channel Link Encryption