About Cisco TrustSec FC Link Encryption
Cisco TrustSec FC Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption is now added to the peer authentication capability to provide security and prevent unwanted traffic interception. Peer authentication is implemented according to the FC-SP standard using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) protocol.
Note Cisco TrustSec FC Link Encryption is currently only supported between Cisco MDS switches. This feature is not supported when you downgrade to software versions which do not have the Encapsulating Security Protocol (ESP) support.
This section includes the following topics:
Supported Modules
The following modules are supported for the Cisco TrustSec FC Link Encryption feature:
- 2/4/8/10/16 Gbps 48-ports Advanced Fibre Channel module (DS-X9448-768K9)
- 32-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9232-256K9)
- 48-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9248-256K9)
- 1/2/4/8 Gbps 24-Port Fibre Channel switching module (DS-X9224-96K9)
- 1/2/4/8 Gbps 48-Port Fibre Channel switching module (DS-X9248-96K9)
- 1/2/4/8 Gbps 4/44-Port Fibre Channel switching module (DS-X9248-48K9)
- 2/4/8/10/16 Gbps 96-ports Fibre Channel Switching Module (DS-C9396S-K9)
- 24/10 port SAN Extension module (DS-X9334-K9)
Note 24/10 port SAN Extension module (DS-X9334-K9) is supported on Cisco MDS 9700 Series Directors starting from Cisco MDS NX-OS Release 7.3(0)DY(1).
Enabling Cisco TrustSec FC Link Encryption
By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches in the Cisco MDS 9000 Family.
You must explicitly enable the FC-SP feature to access the configuration and verification commands for fabric authentication and encryption. When you disable this feature, all related configurations are automatically discarded.
To enable FC-SP for a Cisco MDS switch, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# feature fcsp |
Enables the FC-SP feature. |
switch(config)# no feature fcsp |
Disables (default) the FC-SP feature in this switch. |
Configuring the Cisco TrustSec FC Link Encryption feature requires the ENTERPRISE_PKG license. For more information, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide.
Setting Up Security Associations
To perform encryption between the switches, a security association (SA) needs to be set up. An administrator manually configures the SA before the encryption can take place. The SA includes parameters such as keys and salt, that are required for encryption. You can set up to 2000 SAs in a switch.
To set up an SA between two switches, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# fcsp esp sa spi_number |
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536. |
Step 3 |
switch(config)# no fcsp esp sa spi_number |
Deletes the SA between the switches. |
To determine which ports are using the SA, use the show running-config fcsp command. Refer to the “Viewing Running System Information” section.
Note Cisco TrustSec FC Link Encryption is currently supported only on DHCHAP on and off modes.
Setting Up Security Association Parameters
To set up the SA parameters, such as keys and salt, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# fcsp esp sa spi_number |
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536. |
switch(config-sa)# key key |
Configures the key for the SA. Maximum size of key is 34. |
Step 5 |
switch(config-sa)# no key key |
Removes the key from the SA. |
Step 6 |
switch(config-sa)# salt salt |
Configures the salt for the SA. The range is from 0x0 to 0xffffffff. |
Step 7 |
switch(config-sa)# no salt salt |
Removes the salt for the SA. |
Configuring ESP Settings
This section includes the following topics:
Configuring ESP on Ingress and Egress Ports
Once the SA is created, you need to configure Encapsulating Security Protocol (ESP) on the ports. You should specify the egress and ingress ports for the encryption and decryption of packets between the network peers. The egress SA specifies which keys or parameters are to be used for encrypting the packets that leave the switch. The ingress SA specifies which keys or parameters are to be used to decrypt the packets entering that particular port.
This section covers the following topics:
Configuring ESP on Ingress Port
To configure SA to the ingress hardware, follow these steps:
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel will apply the configuration on all members of the portchannel. |
Step 3 |
switch(config-if)# f csp esp manual |
Enters the ESP configuration submode. |
Step 4 |
switch(config-if-esp)# ingress-sa spi_number |
Configures the SA to the ingress hardware. |
Step 5 |
switch (config-if-esp)# no ingress-sa spi_number |
Removes the SA from the ingress hardware. |
Configuring ESP on Egress Ports
To configure SA to the egress hardware, follow these steps:
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel will apply the configuration on all members of the portchannel. |
Step 3 |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode. |
Step 4 |
switch(config-if-esp)# egress-sa spi_number |
Configures the SA to the egress hardware. |
Step 5 |
switch(config-if)# no fcsp esp manual |
Removes the SA from the ingress and egress hardware. |
Note To apply the SA to the ingress and egress hardware of an interface, the interface needs to be in the admin shut mode.
Configuring ESP Modes
Configure the ESP settings for the ports as GCM to enable message authentication and encryption or as GMAC to enable message authentication.
The default ESP mode is AES-GCM.
This section covers the following topics:
Configuring AES-GCM
To configure the AES-GCM mode, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel would apply the configuration on all members of the portchannel. |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode to configure the ESP settings on each port. |
Step 5 |
switch(config-if-esp)# mode gcm |
Sets the GCM mode for the interface. |
Configuring AES-GMAC
To configure AES-GMAC mode, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel would apply the configuration on all members of the portchannel. |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode to configure the ESP settings on each port. |
Step 5 |
switch(config-if-esp)# mode gmac |
Sets the GMAC mode for the interface. |
Step 6 |
switch(config-if-esp)# no mode gmac |
Removes the GMAC mode from the interface and applies the default AES-GCM mode. |
Note The ESP modes are set only after a SA is configured to either the ingress or the egress hardware. If SA has not been configured, ESP is turned off and encapsulation does not occur.
Note An ESP mode change always needs a port flap because the change is not seamless if it is done after you configure the port; although the configurations are not rejected.
Note Only ISLs with FC-SP port mode turned on and available on ESP capable switches or blades are displayed.
Note You can modify an existing ESP configuration provided the selected ISLs are enabled.
Cisco TrustSec FC Link Encryption Best Practices
Best practices are the recommended steps that should be taken to ensure the proper operation of Cisco TrustSec FC Link Encryption.
This section covers the following topics:
General Best Practices
This section lists the general best practices for Cisco TrustSec FC Link Encryption:
- Ensure that Cisco TrustSec FC Link Encryption is enabled only between MDS switches. This feature is supported only on E-ports or the ISLs, and errors will result if non-MDS switches are used.
- Ensure that the peers in the connection have the same configurations. If there are differences in the configurations, a “port re-init limit exceeded” error message is displayed.
- Before applying the SA to the ingress and egress hardware of a switch interface, ensure that the interface is in the admin shut mode.
Best Practices for Changing Keys
After the SA is applied to the ingress and egress ports, you should change the keys periodically in the configuration. The keys should be changed sequentially to avoid traffic disruption.
As an example, consider that a security association has been created between two switches, Switch1 and Switch2. The SA is configured on the ingress and egress ports as shown in the following example:
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# ingress-sa 256
switch(config-if)# egress-sa 256
To change the keys for these switches, follow these steps:
Step 1 Add a new SA on Switch1 and Switch2.
switch(config)# fcsp esp sa 257
switch(config-sa)# key 0xAC9EF8BC8DB2DBD2008D184F794E0C38
switch(config-sa)# salt 0x1234
Step 2 Configure the ingress SA on Switch1.
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# ingress-sa 257
Step 3 Configure the ingress and the egress SA on Switch2.
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# ingress-sa 257
switch(config-if)# egress-sa 257
Step 4 Configure the egress SA on Switch1.
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# egress-sa 257
Step 5 Remove the previously configured ingress SA from both the switches.
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# no ingress-sa 256