security

FC Security for CCIE DC – Fabric Binding

Fabric binding ensures that switches configured in the fabric binding database are permitted to connect to the switch. If a switch tries to join the fabric, and that switch is not in the fabric binding database, access is denied.  Fabric binding is configured on a per-VSAN basis.

From Cisco, “This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.”

This is very similar to Port Security, except Fabric Binding is for switches only (not devices). Switches bind to the fabric instead of interfaces like in Port Security. Additionally, Fabric Binding is manually configured on each switch, it cannot be distributed through CFS.

More information can be found here:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/binding.html

Steps involved:

1. Enable the fabric binding feature
2. Configure a list of sWWNs and their corresponding domain IDs for devices permitted in the fabric
3. Active the fabric binding database
4. Copy the fabric binding database to the fabric binding config database

(more…)

Advertisements

FC Security for CCIE DC – FC-SP / DHCHAP

Fibre Channel Security Protocol (FC-SP) provides the capabilities for Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) to authenticate switches and/or hosts attempting to enter the fabric. The terms FC-SP and DHCHAP are used interchangeably. Unlike most FC feature, DHCHAP is not configured on a per-VSAN basis.

All things in this post can be found in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/fcspdh.html

Steps involved to configure FC-SP:

1. Enable FCSP/DHCHAP
2. (Optional) Configure the hash algorithm and Diffie-Hellamn groups
3. Configure the DHCHAP password for the local switch
4. Configure the DHCHAP password for the remote switches/devices in the fabric
5. Configure and enable DHCHAP on interfaces
_a. Modes
_b. Reauthentication
6. Verify

fcsp-dhchap-topology

(more…)