IPSEC
The MDS supports IPSEC for FCIP and iSCSI. I'm very familiar with IPSEC so I'm not going to bother with investigating and documenting the process. The SAN OS book has some good examples as well.
Fabric Authentication
Fabric wide authentication is provided via Fibre Channel Security Protocol (FC-SP). FC-SP uses DHCHAP. From the SAN OS guide:
This sections identifies the impact of configuring the DHCHAP feature along with existing Cisco MDS features:
• PortChannel interfaces—If DHCHAP is enabled for ports belonging to a PortChannel, DHCHAP
authentication is performed at the physical interface level, not at the PortChannel level.
• FCIP interfaces—The DHCHAP protocol works with the FCIP interface just as it would with a
physical interface.
• Port security or fabric binding—Fabric binding policies are enforced based on identities
authenticated by DHCHAP.
• VSANs—DHCHAP authentication is not done on a per-VSAN basis.
• High availability—DHCHAP authentication works transparently with existing HA features.
Here is the process to configure:
Enable the feature
MDS1(config)# fcsp enable
ENTERPRISE_PKG license not installed. FCSP feature will be shutdown after grace period of approximately 119 day(s).
Set the local password
MDS1(config)# fcsp dhchap password cisco123
Set the remote password. First get the switch WWN
MDS1# sh cfs peers
Physical Fabric
-------------------------------------------------------------------------
Switch WWN IP Address
-------------------------------------------------------------------------
20:00:00:0d:ec:0e:96:c0 10.10.209.31
MDS1(config)# fcsp dhchap devicename 20:00:00:0d:ec:0e:96:c0 password cisco456
Looks like the previous owner of the 2nd MDS I have used up the grace period for this feature.
MDS2(config)# fcsp enable
enable status: License expired
ENTERPRISE_PKG license not installed. FCSP feature will be shutdown after grace period of approximately 0 day(s).
Final step is to enable FCSP for the interfaces where authentication is needed.
Looks like a pretty simple configuration so I'm not going any further at least for now. Maybe if I go through the pain of recovering the grace period I will.
Port Security
Port security will reject logins to the fabric from unauthorized sources. Port security has many options (using CFS to distribute, auto learning, etc). I will just focus on a few options here:
Enable the feature
MDS1(config)# port-security enable
Activate port security on the VSAN
MDS1(config)# port-security activate vsan 10
Enable auto-learn for the VSAN
MDS1(config)# port-security auto-learn vsan 10
Distribute the port security via CFS
MDS1(config)# port-security distribute
Commit the changes across the fabric
MDS1(config)# port-security commit vsan 10
Changes can be made manually to the port-security database
MDS1(config)# port-security database vsan 10
MDS1(config-port-security)# ?
Port Security Lists:
any-wwn Any Node/Port/Switch WWNs
device-alias N_Port Device_Alias
do EXEC command
end Exit from configure mode
exit Exit from this submode
no Negate a command or set its defaults
nwwn N_Port Node-WWN
pwwn N_Port Port-WWN
swwn Switch-WWN
View the database
MDS1# sh port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface)
--------------------------------------------------------------------------------
MDS1# sh port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity Logging-in Point (Interface) Learnt
--------------------------------------------------------------------------------
10 22:00:00:11:c6:f5:1a:f2(pwwn) 20:01:00:0d:ec:1f:bc:00(fc1/1)* Yes
10 22:00:00:11:c6:31:f7:bd(pwwn) 20:01:00:0d:ec:1f:bc:00(fc1/1)* Yes
10 22:00:00:18:62:07:ff:e1(pwwn) 20:01:00:0d:ec:1f:bc:00(fc1/1)* Yes
10 10:00:00:00:c9:6e:b6:21(pwwn) 20:04:00:0d:ec:1f:bc:00(fc1/4)* Yes
10 20:00:00:0d:ec:0e:96:c0(swwn) 24:64:00:0d:ec:1f:bc:00(port-channel 100)*Yes
[Total 5 entries]
Fabric Binding
Fabric binding is a feature somewhat similar to port security. The following table from the SAN OS guide highlights the differences
Enable fabric binding
MDS1(config)# fabric-binding enable
Add a SWWN to the fabric binding database
MDS1(config)# fabric-binding database vsan 10
MDS1(config-fabric-binding)# swwn 20:00:00:0d:ec:0e:96:c0
Activate the fabric binding
MDS1(config)# fabric-binding activate vsan 10
Verification
MDS1# sh fabric-binding database
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
10 20:00:00:0d:ec:1f:bc:00 0xa(10) [Local]
10 20:00:00:0d:ec:0e:96:c0 Any
[Total 2 entries]
