Configuring Cisco TrustSec Fibre Channel Link Encryption

This chapter provides an overview of the Cisco TrustSec Fibre Channel (FC) Link Encryption feature and describes how to configure and set up link-level encryption between switches.

The chapter includes the following sections:

Cisco TrustSec FC Link Encryption Terminology

This chapter explains the following Cisco TrustSec FC Link Encryption-related terms:

Galois Counter Mode (GCM): It is a block cipher mode of operation. GCM provides both confidentiality and data-origin authentication as a block cipher mode of operation.
Galois Message Authentication Code (GMAC): It provides confidentiality and data-origin authentication through GCM. It is the authentication-only variant of GCM.
Security Association (SA): It is an agreement between two switches that manages the security credentials and controls how they propagate between switches. The SA includes parameters such as salt and keys.
Key: It is a 128-bit or 256-bit string in hexadecimal format that is used for frame encryption and decryption. The default value is zero.
Salt: It is a 32-bit hexadecimal number that is used during encryption and decryption. The same salt must be configured on both sides of the connection to ensure proper communication. The default value is zero.
Security Parameters Index (SPI) number: It is a 32-bit number that identifies the SA to be configured to the hardware.

About Cisco TrustSec FC Link Encryption

Cisco TrustSec FC Link Encryption is an extension of the Fibre Channel Security Protocol (FC-SP) feature that provides integrity and confidentiality of FC-SP transactions.

The Advanced Encryption Standard (AES) is a symmetric cypher algorithm that provides high level of link level security. Cisco TrustSec FC Link Encryption supports both 128 and 256 bit key sizes. It also supports Galois Counter Mode (GCM) for authentication and encryption of data frames between the peers and Galois Message Authentication Mode (GMAC) for authentication of unencrypted data frames between the peers.

Peer authentication using the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) is supported. Each peer sends a challenge and hash function name to the other peer who returns a response calculated using these parameters and the preconfigured secret key for the peer. If the response has used the correct key the responder is authenticated. The secret key is never sent on the link. Secret keys should be unique for each direction. Peer connection without authentication is also supported.

Once peers are authenticated, secure communication is established using the Fibre Channel Secure Association Management protocol. This protocol uses Internet Key Exchange (IKE) to encrypt both FC SA Management and Fibre Channel traffic. AES is the only supported encryption algorithm for Security Associations.

Starting in Cisco MDS NX-OS Release 9.4(3), the default global maximum encryption key size is increased to 256 bits on directors with Supervisor Module-4 and 64Gbps Fabric switches. Other devices only support a 128 bit key. The following table shows encryption support for each platform and module type:

Starting in Cisco MDS NX-OS Release 9.4(4), the default global maximum encryption key size for SNMP is increased to 256 bits. However, AES-128 remains the default privacy encryption algorithm. DES privacy encryption algorithm is still supported. For more information, see Configuring SNMP.

Table 1. SA encryption support
Platform	AES-128	AES-256
Cisco MDS 9148V 64-Gbps 48-Port Fibre Channel	Yes	Yes
Cisco MDS 9396V 64-Gbps 96-Port Fibre Channel	Yes	Yes
Cisco MDS 9124V 64-Gbps 24-Port Fibre Channel	Yes	Yes
MDS 9700 64 Gbps Module	Yes	Yes
Cisco MDS 9700 Series Supervisor-4 Module	Yes	Yes
Cisco MDS 9148S 16-Gbps Multilayer Fabric Switch	Yes	No
Cisco MDS 9148T 32-Gbps 48-Port Fibre Channel Switch	Yes	No
Cisco MDS 9220i 32-Gbps Multiservice Fabric Switch	Yes	No
Cisco MDS 9396S 16-Gbps Multilayer Fabric Switch	Yes	No
Cisco MDS 9396T 32-Gbps 96-Port Fibre Channel Switch	Yes	No
MDS 9700 16 Gbps Module	Yes	No
MDS 9700 32 Gbps Module	Yes	No
Cisco MDS 9700 Series Supervisor-1 Module	Yes	No
Cisco MDS 9000 24/10-Port SAN Extension Module	Yes	No

For more information on increasing global maximum encryption key size from 128 bits to 256 bits, see Creating Up Security Association Parameters

Note

Cisco TrustSec FC Link Encryption is only supported between Cisco MDS switches.

This feature is not supported when you downgrade to software versions which do not have Encapsulating Security Protocol (ESP) support.

This section includes the following topics:

Supported Modules

Cisco TrustSec FC Link Encryption support is available only on certain ports for the following modules and switches:

Table 2. Cisco TrustSec FC Link Encryption Port Support by Module and Switch
Model	Description	Cisco TrustSec Capable Ports	Encryption Key Length
DS-X9748- 3072K9	64 Gbps Fibre Channel Switching module	9, 11, 13, 15, 25, 27, 29, 31	AES 256 bit
DS-X9648- 1536K9	32 Gbps Fibre Channel Switching Module	9-12, 25-28, 41-44	AES 128 bit
DS-X9448- 768K9	16 Gbps Fibre Channel Switching module	All FC ports	AES 128 bit
DS-X9334-K9	24/10 Port SAN Extension Module	All FC ports	AES 128 bit
DS-C9132T-K9	MDS 9132T Fabric Switch	9-12, 25-28	AES 128 bit
DS-C9148T-K9	MDS 9148T Fabric Switch	9-12, 25-28, 41-44	AES 128 bit
DS-C9396T-K9	MDS 9396T Fabric Switch	9-12, 25-28, 41-44 57-60, 73-76, 89-92	AES 128 bit
DS-C9220I-K9	MDS 9220i 32 Gbps 12-Port Fibre Channel Fabric Switch	9-12	AES 128 bit
DS-C9124V- 24PEVK9	MDS 9124V 64 Gbps 24-Port Fibre Channel Fabric Switch	9-12	AES 256 bit
DS-C9148V- 48PETK9	MDS 9148V 64 Gbps 48-Port Fibre Channel Fabric Switch	9-12, 33-36	AES 256 bit
DS-C9396V-K9	64 Gbps 96 Port Fibre Channel switch	1-4, 25-28, 57-60, 81-84	AES 256 bit

Enabling Cisco TrustSec FC Link Encryption

By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches in the Cisco MDS 9000 Family.

You must explicitly enable the FC-SP feature to access the configuration and verification commands for fabric authentication and encryption. When you disable this feature, all related configurations are automatically discarded.

Configuring the Cisco TrustSec FC Link Encryption feature requires the ENTERPRISE_PKG license (Advantage or Premier tiers). For more information, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide.

Ensure peer authentication is enabled before configuring Cisco TrustSec FC Link Encryption. For more information, see Configuring FC-SP and DHCHAP.

To enable FC-SP encription for a Cisco MDS switch, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# feature fcsp

Enables the FC-SP feature.

Step 3

switch(config)# no feature fcsp

(Optional) Disables the FC-SP feature in this switch.

Configuring Security Associations

To perform encryption between switches, a security association (SA) needs to be configured. you can manually configures the SA before the encryption can take place. You can configure up to two thousand SAs in a switch.

Note

Cisco TrustSec FC Link Encryption supports only DHCHAP authentication and no authentication modes.

To configure an SA, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# fcsp esp sa spi_number

Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536.

Step 3

switch(config)# no fcsp esp sa spi_number

(Optional) Deletes SA. If the specified SA is currently configured on an interface, this command returns an error saying that the SA is in use.

Configuring Security Association Parameters

To set up the SA key and salt parameters, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# fcsp esp sa spi_number

Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536.

Step 3

switch(config-sa)# key key

Configures the key for the SA. Insert the Key for encryption as hex string prefixed with 0x. Maximum size bounded by encryption AES key command.

Step 4

switch(config-sa)# no key key

(Optional) Removes the key from the SA.

Step 5

switch(config-sa)# salt salt

Configures the salt for the SA. The range is from 0x0 to 0xffffffff.

Step 6

switch(config-sa)# no salt salt

(Optional) Removes the salt for the SA.

Step 7

switch(config-sa)# encryption aes

(Optional) Configures the encryption type of the SA. The encryption types are aes-128 or aes-256.

This step is applicable from Cisco MDS NX-OS Release 9.4(3) release.

Note

If you change the encryption type from 256 bits to 128 bits, the key is reset to 0. You must re-enter the key value after the encryption type is updated.

If you want to downgrade from Cisco MDS NX-OS Release 9.4(3) or later to an earlier version, either set the encryption to AES with a 128 bit key or remove the Security Association (SA) configuration from the switch.

Configuring ESP

This section includes the following topics:

Configuring ESP for Interfaces

Once the SAs are created, you need to configure Encapsulating Security Protocol (ESP) on the interfaces. This allows you to specify the egress and ingress SAs to encrypt and decrypt packets between the network peers. The egress SA specifies which keys or parameters are to be used for encrypting the packets that are sent to the peer through the interface. The ingress SA specifies which keys or parameters are to be used to decrypt the packets received from the peer through the interface.

For maximum security use different SAs, each with unique keys, for ingress and egress traffic. This way, if an attacker breaks the key in one direction and gets access to all transmitted frames,. Traffic in the other direction is still secure.

To check if an interface supports ESP, use the slot module number show hardware internal fcmac drv-info command.

In the example below, ASICINTF represents the hardware port number that indicates ESP support. If its value is 0, 1, 2, or 3, the corresponding port supports ESP.

switch# slot 1 show hardware internal fcmac drv-info
.
.
.
+-----+-----+----------+--------+--------------+----+-----+----+-------+------+
| PORT| ASIC| ASICINTF|BASE(0x)|DEV-OFFSET(0x)|LoPG|PhyPG|Port|SER(0x)|MLD(0x)|
+-----+-----+----------+--------+--------------+----+-----+----+-------+------+
|  1  | 0   |11        |f8818000  | 20ce8c0000   |  2 |  0  | 11 | 2e | 2f |
|  2  | 0   |10        |f8810000  | 20ce880000   |  2 |  0  | 10 | 2d | 2f |
|  3  | 0   | 9        |f8808000  | 20ce840000   |  2 |  0  |  9 | 2c | 2f |
|  4  | 0   | 8        |f8800000  | 20ce800000   |  2 |  0  |  8 | 2b | 2f |
|  5  | 0   |15        |f8838000  | 20ce9c0000   |  3 |  0  | 15 | 33 | 34 |
|  6  | 0   |14        |f8830000  | 20ce980000   |  3 |  0  | 14 | 32 | 34 |
|  7  | 0   |13        |f8828000  | 20ce940000   |  3 |  0  | 13 | 31 | 34 |
|  8  | 0   |12        |f8820000  | 20ce900000   |  3 |  0  | 12 | 30 | 34 |
|  9  | 0   | 3        |f87d8000  | 20ce4c0000   |  0 |  0  |  3 | 38 | 39 |
| 10  | 0   | 2        |f87d0000  | 20ce480000   |  0 |  0  |  2 | 37 | 39 |
| 11  | 0   | 1        |f87c8000  | 20ce440000   |  0 |  0  |  1 | 36 | 39 |
| 12  | 0   | 0        |f87c0000  | 20ce400000   |  0 |  0  |  0 | 35 | 39 |
| 13  | 0   | 7        |f87f8000  | 20ce5c0000   |  1 |  0  |  7 | 3d | 3e |
| 14  | 0   | 6        |f87f0000  | 20ce580000   |  1 |  0  |  6 | 3c | 3e |
| 15  | 0   | 5        |f87e8000  | 20ce540000   |  1 |  0  |  5 | 3b | 3e |
| 16  | 0   | 4        |f87e0000  | 20ce500000   |  1 |  0  |  4 | 3a | 3e |
| 17  | 1   |11        |f88d0000  | 20d48c0000   |  2 |  0  | 11 | 2e | 2f |
| 18  | 1   |10        |f88c8000  | 20d4880000   |  2 |  0  | 10 | 2d | 2f |
| 19  | 1   | 9        |f88c0000  | 20d4840000   |  2 |  0  |  9 | 2c | 2f |
| 20  | 1   | 8        |f88b8000  | 20d4800000   |  2 |  0  |  8 | 2b | 2f |
| 21  | 1   |15        |f88f0000  | 20d49c0000   |  3 |  0  | 15 | 33 | 34 |
| 22  | 1   |14        |f88e8000  | 20d4980000   |  3 |  0  | 14 | 32 | 34 |
| 23  | 1   |13        |f88e0000  | 20d4940000   |  3 |  0  | 13 | 31 | 34 |
| 24  | 1   |12        |f88d8000  | 20d4900000   |  3 |  0  | 12 | 30 | 34 |
| 25  | 1   | 3        |f8890000  | 20d44c0000   |  0 |  0  |  3 | 38 | 39 |
| 26  | 1   | 2        |f8888000  | 20d4480000   |  0 |  0  |  2 | 37 | 39 |
| 27  | 1   | 1        |f8880000  | 20d4440000   |  0 |  0  |  1 | 36 | 39 |
| 28  | 1   | 0        |f8878000  | 20d4400000   |  0 |  0  |  0 | 35 | 39 |
| 29  | 1   | 7        |f88b0000  | 20d45c0000   |  1 |  0  |  7 | 3d | 3e |
| 30  | 1   | 6        |f88a8000  | 20d4580000   |  1 |  0  |  6 | 3c | 3e |
| 31  | 1   | 5        |f88a0000  | 20d4540000   |  1 |  0  |  5 | 3b | 3e |
| 32  | 1   | 4        |f8898000  | 20d4500000   |  1 |  0  |  4 | 3a | 3e |
| 33  | 2   |11        |f8988000  | 20d68c0000   |  2 |  0  | 11 | 2e | 2f |
| 34  | 2   |10        |f8980000  | 20d6880000   |  2 |  0  | 10 | 2d | 2f |
| 35  | 2   | 9        |f8978000  | 20d6840000   |  2 |  0  |  9 | 2c | 2f |
| 36  | 2   | 8        |f8970000  | 20d6800000   |  2 |  0  |  8 | 2b | 2f |
| 37  | 2   |15        |f89a8000  | 20d69c0000   |  3 |  0  | 15 | 33 | 34 |
| 38  | 2   |14        |f89a0000  | 20d6980000   |  3 |  0  | 14 | 32 | 34 |
| 39  | 2   |13        |f8998000  | 20d6940000   |  3 |  0  | 13 | 31 | 34 |
| 40  | 2   |12        |f8990000  | 20d6900000   |  3 |  0  | 12 | 30 | 34 |
| 41  | 2   | 3        |f8948000  | 20d64c0000   |  0 |  0  |  3 | 38 | 39 |
| 42  | 2   | 2        |f8940000  | 20d6480000   |  0 |  0  |  2 | 37 | 39 |
| 43  | 2   | 1        |f8938000  | 20d6440000   |  0 |  0  |  1 | 36 | 39 |
| 44  | 2   | 0        |f8930000  | 20d6400000   |  0 |  0  |  0 | 35 | 39 |
| 45  | 2   | 7        |f8968000  | 20d65c0000   |  1 |  0  |  7 | 3d | 3e |
| 46  | 2   | 6        |f8960000  | 20d6580000   |  1 |  0  |  6 | 3c | 3e |
| 47  | 2   | 5        |f8958000  | 20d6540000   |  1 |  0  |  5 | 3b | 3e |
| 48  | 2   | 4        |f8950000  | 20d6500000   |  1 |  0  |  4 | 3a | 3e |
+-----+-----+----------+--------+--------------+----+-----+----+-------+------+
.
.
.

This section covers the following topics:

Configuring ESP for Ingress Traffic

ESP can only be configured on interfaces in E or Auto port mode.

To configure an ingress SA on an interface, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters the configuration mode.

Step 2

switch(config)# interface fc x/y

Configures the FC interface to slot x, port y.

Note

Selecting a portchannel will apply the configuration on all members of the portchannel.

Step 3

switch(config-if)# shutdown

Sets the interface to be shut down. The interface must be in this mode to apply an SA.

Step 4

switch(config-if)# switchport mode auto

Set the interface type to either auto detect or E port. ESP is only supported in these two modes.

Step 5

switch(config-if)# fcsp on

Set the interface FC-SP mode to always on. Manual SA configuration is only allowed when the interface FC-SP mode is always on.

Step 6

switch(config-if)# fcsp esp manual

Enters the ESP configuration submode.

Step 7

switch(config-if-esp)# ingress-sa spi_number

Configures the SA to the ingress interface. The SA is not accepted if the SA key size is not supported by the interface hardware.

Step 8

switch (config-if-esp)# no ingress-sa spi_number

(Optional) Removes the SA from the ingress interface. If SA is not configured in the ingress port, then running this command returns an error message.

Step 9

switch(config)# no shutdown

(Optional) Enables the interface.

Configuring ESP for Egress Traffic

ESP can only be configured on interfaces in E or Auto port mode.

To configure an egress SA on an interface, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters the configuration mode.

Step 2

switch(config)# interface fc x/y

Configures the FC interface on slot x, port y.

Note

Selecting a portchannel will apply the configuration to all members of the portchannel.

Step 3

switch(config-if)# shutdown

Sets the interface to be shut down. The interface must be in this mode to apply an SA.

Step 4

switch(config-if)# switchport mode auto

Set the interface type to either auto detect or E port. ESP is only supported in these two modes.

Step 5

switch(config-if)# fcsp on

Set the interface FC-SP mode to always on. Manual SA configuration is only allowed when the interface FC-SP mode is always on.

Step 6

switch(config-if)# fcsp esp manual

Enters the ESP configuration submode.

Step 7

switch(config-if-esp)# egress-sa spi_number

Configures the SA to the egress interface. The SA is not accepted if the SA key size is not supported by the interface hardware.

Step 8

switch(config-if)# no fcsp esp manual

(Optional) Removes the SA from the ingress and egress interface. If SA is not configured in the egress port, then running this command returns an error message.

Step 9

switch(config)# no shutdown

(Optional) Enables the interface.

Configuring ESP Modes

Configure the ESP settings for the ports as GCM to enable message authentication and encryption or as GMAC to enable only message authentication.

The default ESP mode is AES-GCM. Set the ESP mode only after an SA is attached to either the ingress or egress interface. If the SA is attached to an interface, but ESP is turned off then encapsulation does not occur.

This section covers the following topics:

Configuring AES-GCM

To configure an interface to use AES-GCM mode, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters the configuration mode.

Step 2

switch(config)# interface fc x/y

Configures the FC interface to slot x, port y.

Note

Selecting a portchannel will apply the configuration on all members of the portchannel.

Step 3

switch(config-if)# fcsp on

Set the interface FC-SP mode to always on. Manual SA configuration is only allowed when the interface FC-SP mode is always on.

Step 4

switch(config-if)# fcsp esp manual

Enters the ESP configuration submode to configure the ESP settings on the interface.

Step 5

switch(config-if-esp)# mode gcm

Sets GCM mode for the interface.

Configuring AES-GMAC

To configure an interface to use AES-GMAC mode, follow these steps:

Note

You can modify an existing ESP configuration provided the selected ISLs are enabled. However, changing the ESP mode always requires an interface flap as the change is not seamless when applied after the interface is configured.

Procedure

Step 1

switch# configure terminal

Enters the configuration mode.

Step 2

switch(config)# interface fc x/y

Configures the FC interface on slot x, port y.

Note

Selecting a portchannel will apply the configuration to all members of the portchannel.

Step 3

switch(config-if)# fcsp on

Set the interface FC-SP mode to always on. Manual SA configuration is only allowed when the interface FC-SP mode is always on.

Step 4

switch(config-if)# fcsp esp manual

Enters the ESP configuration submode to configure the ESP settings on the interface.

Step 5

switch(config-if-esp)# mode gmac

Sets GMAC mode for the interface.

Step 6

switch(config-if-esp)# no mode gmac

(Optional) Removes GMAC mode from the interface and applies the default AES-GCM mode.

Viewing Cisco TrustSec FC Link Encryption Information

This section covers the following topics:

Viewing Interface FC-SP Information

Use the show fcsp interface command to show all FC-SP related information for a specific interface.

switch# show fcsp interface fc7/41

fc7/41:
  fcsp authentication mode:SEC_MODE_OFF  // FC-SP authentication is turned off for this interface.
  ESP is enabled                        // Encapsulating Security Payload (ESP) is active, providing data integrity and confidentiality.
  configured mode is: GCM              // The mode configured for ESP is Galois/Counter Mode (GCM), which is a mode of operation for cryptographic algorithms.
  programmed ingress SA:303            // Security Association (SA) for incoming traffic is set to 303, defining the parameters for secure communication.
  programmed egress SA: 300            // Security Association for outgoing traffic is set to 300.
  Status:FC-SP protocol in progress    // The FC-SP protocol is currently active, indicating ongoing security processes.

Viewing FC-SP Configuration

Use the show running-config fcsp command to display all FC-SP configuration. All details about ESP and configured interfaces are displayed. Use this command to determine which interfaces are using FC-SP and which SAs they use.

switch# show running-config fcsp

version 9.4(3)
feature fcsp
fcsp dhchap password 7 fewhg@123
fcsp esp sa 257
  encryption aes-128
  key 0x59D80A0EF24E0B7B886A7AE26AE368E1
  salt 0xE3417D89
fcsp esp sa 258
  encryption aes-128
  key 0x8DB0AEC6A5B0CA31C8798E33696101CB
  salt 0x73C2
fcsp esp sa 335
  encryption aes-256
  key 0x59D80A0EF24E0B7B886A7AE26AE368E059D80A0EF24E0B7B886A7AE26AE368E1
  salt 0xE3417D89
interface port-channel241
  fcsp on
  fcsp esp manual
    ingress-sa 257
    egress-sa 258

interface fc1/1
  fcsp on

interface fc1/4
  fcsp on

interface fc1/26
  fcsp on

interface fc1/60
  fcsp on
  fcsp esp manual
    ingress-sa 257
    egress-sa 258

Viewing FC-SP Interface Statistics

Use the show fcsp interface statistics command to show all statistics related to DHCHAP and ESP for an interface. The ESP statistics shown depend on the capabilities of the interface hardware.

switch# show fcsp interface fc3/31 statistics
 
fc7/41:
fcsp authentication mode:SEC_MODE_ON
ESP is enabled
configured mode is: GMAC
programmed ingress SA: 256, 257
programmed egress SA: 256
Status:Successfully authenticated
Authenticated using local password database
Statistics:
FC-SP Authentication Succeeded:17
FC-SP Authentication Failed:3
FC-SP Authentication Bypassed:0
FC-SP ESP SPI Mismatched frames:0
FC-SP ESP Auth failed frames:0

Cisco TrustSec FC Link Encryption Best Practices

Best practices are the recommended steps that should be taken to ensure the proper operation of Cisco TrustSec FC Link Encryption.

This section covers the following topics:

General Best Practices

This section lists the general best practices for Cisco TrustSec FC Link Encryption:

Ensure that Cisco TrustSec FC Link Encryption is enabled only between MDS switches. This feature is supported only on E-ports or the ISLs, and errors will result if non-MDS switches are used.
Ensure that the peers in the connection have the same configurations. If there are differences in the configurations, a “port re-init limit exceeded” error message is displayed.
Before applying the SA to the ingress and egress hardware of a switch interface ensure that the interface is administratively shutdown.

Best Practices for Changing Keys

After the SA is applied to the ingress and egress ports, you should change the keys periodically in the configuration. This practice safeguards against unauthorized access and potential security breaches by limiting the duration of encryption key usage. The keys should be changed sequentially to avoid traffic disruption.

As an example, consider that a security association has been created between two switches, Switch1 and Switch2. The SA is configured on the ingress and egress ports as shown in the following example:

switch# configure terminal
switch(config)# interface fc1/1
switch(config-if)# fcsp esp manual
switch(config-if)# ingress-sa 256
switch(config-if)# egress-sa 256

To change the keys for these switches, follow these steps:

Procedure

Step 1	Add a new SA on Switch1 and Switch2. `switch# configure terminal switch(config)# fcsp esp sa 257 switch(config-sa)# key 0xAC9EF8BC8DB2DBD2008D184F794E0C38 switch(config-sa)# salt 0x1234`
Step 2	Configure the ingress SA on Switch1. `switch# configure terminal switch(config)# interface fc1/1 switch(config-if)# fcsp esp manual switch(config-if)# ingress-sa 257`
Step 3	Configure the ingress and the egress SA on Switch2. `switch# configure terminal switch(config)# interface fc1/1 switch(config-if)# fcsp esp manual switch(config-if)# ingress-sa 257 switch(config-if)# egress-sa 257`
Step 4	Configure the egress SA on Switch1. `switch# configure terminal switch(config)# interface fc1/1 switch(config-if)# fcsp esp manual switch(config-if)# egress-sa 257`
Step 5	Remove the previously configured ingress SA from both the switches. `switch# configure terminal switch(config)# interface fc1/1 switch(config-if)# fcsp esp manual switch(config-if)# no ingress-sa 256`

Cisco MDS 9000 Series Security Configuration Guide, Release 9.x

Bias-Free Language

Book Title

Cisco MDS 9000 Series Security Configuration Guide, Release 9.x

Chapter Title