Fibre Channel port security prevents unauthorized Fibre Channel devices and switches from logging into the fabric. This protects the fabric from accidents, malicious intent or attacks such as WWN identity spoofing. It’s configured on a per-VSAN basis.
You have a few options to choose from when configuring Port Security:
1. Configure with auto-learning and CFS distribution 2. Configure with auto-learning without CFS distribution 3. Configure with manual database
The first method is definitely most practical, as you can configure once, learn the current environment, and use Cisco Fabric Services (CFS) to distribute throughout the fabric. I’ll be following this method in this blog post, feel free to follow along. Also added a quick template at the bottom.
Fibre Channel Security Protocol (FC-SP) provides the capabilities for Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) to authenticate switches and/or hosts attempting to enter the fabric. The terms FC-SP and DHCHAP are used interchangeably. Unlike most FC feature, DHCHAP is not configured on a per-VSAN basis.
1. Enable FCSP/DHCHAP 2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups 3. Configure the DHCHAP password for the local switch 4. Configure the DHCHAP password for the remote switches/devices in the fabric 5. Configure and enable DHCHAP on interfaces _a. Modes _b. Reauthentication 6. Verify
When first looking at the blueprint for the CCNA/CCNP/CCIE Data Center track, one of my biggest fears was storage. My entire career thus far has been based on traditional IP data networks, not storage networks. I’m used to things like MAC addresses and IP addresses, not WWPNs and FCIDs. This is a completely foreign technology to most Network Engineers. You have to think back, at some point we were young and hopeful CCNAs-to-be, we knew nothing, but that didn’t stop us! Intimidation is over-rated, so throw fear aside and know that persistence always wins.
So you’ve read all about FC, and now you want to see how to configure it. In this blog post I’ll be going through a basic FC configuration, covering some fundamental Fibre Channel topics along the way, such as:
VSANs FLOGI FCNS Trunking Zoning (Basic and Enhanced) FC Aliases Device Aliases Domain ID Modification FSPF (with traffic engineering) SAN Port-channels