Configuring Fibre Channel Common Transport Management Security
This chapter describes the Fibre Channel Common Transport (FC-CT) Management Security feature for Cisco MDS 9000 Series switches.
About Fibre Channel Common Transport
With the FC-CT management security feature, you can configure the network in such a manner that only a storage administrator or a network administrator can send queries to a switch and access information such as devices that are logged in devices in the fabric, switches in the fabric, how they are connected, how many ports each switch has and where each port is connected, configured zone information and privilege to add or delete zone and zone sets, and host bus adapter (HBA) details of all the hosts connected in the fabric.
Note In Cisco MDS NX-OS Release 6.2(9), the FC management feature is disabled by default. To enable FC management feature, use the fc-management enable command.
You can configure which pWWNs can send FC-CT management query and modify request to the management server. When any of the modules, such as a zone server, unzoned Fibre Channel name server (FCNS), or Fabric Configuration Server (FCS) receives an FC-CT management query, they perform a read operation on the FC-management database. If device is found in FC-management database, a reply is sent according to the permissions granted. If the device is not found in the FC-management database, each module sends a reject. If FC-management is disabled, each module processes each management query.
Configuration Guidelines
The FC-management security feature has the following configuration guidelines:
- When the FC-management security feature is enabled on a Cisco MDS switch, all management queries to the server are rejected unless the port world-wide name (pWWN) of the device that is sending management queries is added to FC-management database.
- When you enable FC Management, FC-CT management server queries from N_Port Virtualization (NPV) switches to N_Port Identifier Virtualization (NPIV) switches are rejected. We recommend that you add the switch world-wide name (sWWN) of the NPV switch to the FC management database of the NPIV switch after enabling the FC-management security feature.
Configuring the Fibre Channel Common Transport Query
To configure the FC-CT management security, follow these steps:
|
|
|
Step 1 |
switch# config terminal |
Enters configuration mode. |
Step 2 |
switch(config)# fc-management enable switch(config)# |
Enables the FC-CT management security. |
Step 3 |
switch(config)# fc-management database vsan 1 |
Configures the FC-CT management Security database. |
Step 4 |
switch(config-fc-mgmt)# pwwn 1:1:1:1:1:1:1:1 feature all operation both |
Adds the pWWN to the FC management database. You also can use these optional keywords when configuring the pwwn command:
- fcs— Enables or disables FC-CT query for fabric conf-server.
- fdmi—Enables or disables FC-CT query for FDMI.
- unzoned-ns—Enables or disables FC-CT query for unzoned name-server.
- zone—Enables or disables FC-CT query for zone-server.
|
Step 5 |
switch# show fc-managment database |
Displays the configured FC-CT management information. |
Verifying Fibre Channel Common Transport Management Security
The show fc-management database command displays the configured FC-CT management security feature information, see example 13-1 .
Example 13-1 Displays the Contents of the Fibre Channel Common Transport Query
switch# show fc-management database
--------------------------------------------------------------
VSAN PWWN FC-CT Permissions per FC services
--------------------------------------------------------------
1 01:01:01:01:01:01:01:01 Zone(RW), Unzoned-NS(RW), FCS(RW), FDMI(RW)
1 02:02:02:02:02:02:02:02 Zone(R), Unzoned-NS(R), FCS(R), FDMI(R)
1 03:03:03:03:03:03:03:03 Zone(W), Unzoned-NS(W), FCS(W), FDMI(W)
--------------------------------------------------------------
To verify the if the FC-management security feature is enabled or not, use the show fc-management status command:
switch# show fc-management status
switch#
Default Settings
Table 13-1 lists the default settings for the FC management security feature in a Cisco MDS 9000 Family switch.
Table 13-1 Default FC Management Settings
|
|
FC-management |
Disabled |