Advanced Traffic-Engineering Features
• Inter-VSAN Routing (IVR): IVR allows selective transfer of data traffic between specific initiators and targets on different virtual SANs (VSANs) without merging VSANs into a single logical fabric. Fibre Channel control traffic does not flow between VSANs, nor can initiators access resources except the ones designated with IVR. In this way, IVR facilitates resource sharing across VSANs without compromising the VSAN benefits of scalability, reliability, availability, and network security.
IVR also works across WANs over the Fibre Channel Interface Protocol (FCIP). IVR can be used in conjunction with FCIP to create more efficient business-continuity and disaster-recovery solutions. With the introduction of IVR, Cisco has become the first vendor to provide routing capability for Fibre Channel networks in SAN switches.
• Quality of service (QoS): The QoS feature in Cisco MDS 9000 NX-OS Software allows traffic to be classified into four distinct levels for service differentiation. QoS can be applied to help ensure that Fibre Channel data traffic for latency-sensitive applications receives higher priority over throughput-intensive applications such as data warehousing.
Zone-based QoS is included in the Cisco MDS 9000 Family Enterprise Package and complements the standard QoS data-traffic classification by VSAN ID, N-port worldwide name (WWN), and Fibre Channel identifier (FC-ID). Zone-based QoS helps simplify configuration and administration by using the familiar zoning concept. QoS can also be configured per VSAN or can be policy or class based.
• Extended credits: The extended credits feature allows up to 4095 buffer credits from a pool of more than 6000 buffer credits for a module to be allocated to ports as needed. Adding credits increases distances for Fibre Channel SAN extension.
• Small Computer System Interface (SCSI) flow statistics: Logical unit number (LUN)-level SCSI flow statistics are collected for any combination of initiator and target. The scope of these statistics includes read, write, and error statistics. This feature is available only on Cisco MDS 9000 Family storage services modules and the Cisco MDS 9000 Advanced Services Module.
Enhanced Network Security Features
• Switch-switch and host-switch authentication: Fibre Channel Security Protocol (FC-SP) capabilities in Cisco MDS 9000 NX-OS provide switch-switch and host-switch authentication. This feature helps eliminate disruptions that may occur because of unauthorized devices connecting to a large enterprise fabric.
• Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP): This protocol is used to perform authentication locally in the Cisco MDS 9000 Family switch or remotely through RADIUS or TACACS+. If authentication fails, a switch or host cannot join the fabric.
• Port security: This feature locks the mapping of an entity to a switch port. The entity can be a host, target, or switch and is identified by its WWN. This feature helps ensure that SAN security is not compromised by connection of unauthorized devices to a switch port.
• VSAN-based access control: This feature allows customers to define roles in which the scope of a role is limited to certain VSANs. For example, a network administrator role can be set up to allow configuration of all platform-specific capabilities, and VSAN-administrator roles can be set up to allow configuration and management of only specific VSANs. VSAN-based access control reduces SAN disruptions by localizing the effects of user errors to the VSANs for which the user has administrative privileges.
• IP Security (IPsec): IPsec is available for FCIP and SCSI over IP (iSCSI) over Gigabit Ethernet ports on the Cisco MDS 9000 18/4-Port Multiservice Module (MSM), MDS 9000 16-Port Storage Services Node (SSN), and MDS 9222i Multiservice Modular Switch (MMS). In a future MDS 9000 NXOS release, IPsec shall also be available on the Cisco MDS 9250i Multilayer Fabric Switch, the next-generation intelligent services switch. The proven IETF standard IPsec capabilities offer secure authentication, data encryption for privacy, and data integrity. Internet Key Exchange Version 1 (IKEv1) and IKEv2 protocols are used to dynamically set up the security associations for IPsec using preshared keys for remote-side authentication.
• Digital certificates: Digital certificates are issued by a trusted third party and are used as electronic passports to prove the identity of certificate owners. After the owner's identity is verified by the trusted third party, the certificate uses the owner's public encryption key to protect identity data contained in the certificate. On the Cisco MDS 9000 Family platform, digital certificates apply to IKE as well as to Secure Shell (SSH).
• Fabric binding for open systems: Fabric binding helps ensure that Inter-Switch Links (ISLs) are enabled only between switches that have been authorized in the fabric binding configuration. This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations.
• Cisco TrustSec® Fibre Channel Link Encryption: Cisco TrustSec Fibre Channel Link Encryption helps ensure data integrity and privacy. Cisco TrustSec Fibre Channel Link Encryption is an extension of the FC-SP feature and uses the existing FC-SP architecture. Starting with Cisco MDS 9000 NX-OS Release 4.2(1), Fibre Channel data between E-ports of 8-Gbps modules can be encrypted, and in a future MDS 9000 NXOS release, Fibre Channel data between E-ports of Cisco MDS 9000 16-Gbps Fibre Channel switching modules can also be encrypted. The encryption algorithm is 128-bit Advanced Encryption Standard (AES) and enables either AES Galois Counter Mode (GCM) or AES Galois Message Authentication Mode (GMAC) for an interface. AES-GCM mode provides encryption and authentication of the frames, and AES-GMAC provides only the authentication of the frames that are being passed between the two E-ports. Encryption is performed at line rate by encapsulating frames at egress, with encryption using GCM and AES 128-bit encryption. At ingress, frames are decrypted and authenticated for integrity. There are two primary use cases: one for customers connecting outside the data center over native Fibre Channel (for example, using dark fiber, coarse wavelength-division multiplexing [CWDM] or dense wavelength-division multiplexing [DWDM]), and one for encryption within the data center.
Limitations on Cisco MDS 9100 Series Switches
• Extended credits
• SCSI flow statistics
• Cisco TrustSec Fibre Channel Link Encryption
Table 1. Ordering Information
For More Information