About Cisco TrustSec FC Link Encryption
Cisco TrustSec FC Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption is now added to the peer authentication capability to provide security and prevent unwanted traffic interception. Peer authentication is implemented according to the FC-SP standard using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) protocol.
Note Cisco TrustSec FC Link Encryption is currently only supported between Cisco MDS switches. This feature is not supported when you downgrade to software versions which do not have the Encapsulating Security Protocol (ESP) support.
This section includes the following topics:
Supported Modules
The following modules are supported for the Cisco TrustSec FC Link Encryption feature:
- 2/4/8/10/16 Gbps 48-ports Advanced Fibre Channel module (DS-X9448-768K9)
- 32-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9232-256K9)
- 48-port 8-Gbps Advanced Fibre Channel Switching module (DS-X9248-256K9)
- 1/2/4/8 Gbps 24-Port Fibre Channel switching module (DS-X9224-96K9)
- 1/2/4/8 Gbps 48-Port Fibre Channel switching module (DS-X9248-96K9)
- 1/2/4/8 Gbps 4/44-Port Fibre Channel switching module (DS-X9248-48K9)
- 2/4/8/10/16 Gbps 96-ports Fibre Channel Switching Module (DS-C9396S-K9)
Enabling Cisco TrustSec FC Link Encryption
By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches in the Cisco MDS 9000 Family.
You must explicitly enable the FC-SP feature to access the configuration and verification commands for fabric authentication and encryption. When you disable this feature, all related configurations are automatically discarded.
To enable FC-SP for a Cisco MDS switch, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# feature fcsp |
Enables the FC-SP feature. |
switch(config)# no feature fcsp |
Disables (default) the FC-SP feature in this switch. |
Configuring the Cisco TrustSec FC Link Encryption feature requires the ENTERPRISE_PKG license. For more information, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide.
Setting Up Security Associations
To perform encryption between the switches, a security association (SA) needs to be set up. An administrator manually configures the SA before the encryption can take place. The SA includes parameters such as keys and salt, that are required for encryption. You can set up to 2000 SAs in a switch.
To set up an SA between two switches, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 |
switch(config)# fcsp esp sa spi_number |
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536. |
Step 3 |
switch(config)# no fcsp esp sa spi_number |
Deletes the SA between the switches. |
To determine which ports are using the SA, use the show running-config fcsp command. Refer to the “Viewing Running System Information” section.
Note Cisco TrustSec FC Link Encryption is currently supported only on DHCHAP on and off modes.
Setting Up Security Association Parameters
To set up the SA parameters, such as keys and salt, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# fcsp esp sa spi_number |
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536. |
switch(config-sa)# key key |
Configures the key for the SA. Maximum size of key is 34. |
Step 5 |
switch(config-sa)# no key key |
Removes the key from the SA. |
Step 6 |
switch(config-sa)# salt salt |
Configures the salt for the SA. The range is from 0x0 to 0xffffffff. |
Step 7 |
switch(config-sa)# no salt salt |
Removes the salt for the SA. |
To set up the SA parameters, such as keys and salt, using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select FC-SP (DHCHAP).
You see the FC-SP configuration in the Information pane.
Step 2 Click the SA tab.
You see the SA parameters for each switch (see Figure 10-1).
Figure 15-1 SA Tab
Step 3 Click the Create Row icon (see Figure 10-1).
Figure 15-2 Create Row Icon
You see the Create SA Parameters dialog box (see Figure 10-2).
Figure 15-3 Create SA Parameters
Step 4 Select the switches on which you want to perform an encryption.
Step 5 Select a value for the SP. The range is from 256 to 65536.
Step 6 Enter a value for the salt. Alternatively, click Salt Generator to select a value
Step 7 Enter a value for the key. Alternatively, click Key Generator to select a value.
Step 8 Click Create to save the changes.
To set up the SA parameters, such as keys and salt, using Device Manager, follow these steps:
Step 1 Choose Switches > Security and then select FC-SP.
You see the FC-SP configuration dialog box.
Step 2 Click the SA tab.
You see the SA parameters for each switch (see Figure 15-4).
Figure 15-4 SA
Step 3 Click Create to create new parameters.
You see the Create FC-SP SA dialog box (see Figure 10-2).
Figure 15-5 Create FC-SP SA
Step 4 Select a value for the SP. The range is from 256 to 65536.
Step 5 Enter a value for the salt. Alternatively, click Salt Generator to select a value
Step 6 Enter a value for the key. Alternatively, click Key Generator to select a value.
Step 7 Click Create to save the changes.
Configuring ESP Settings
This section includes the following topics:
Configuring ESP on Ingress and Egress Ports
Once the SA is created, you need to configure Encapsulating Security Protocol (ESP) on the ports. You should specify the egress and ingress ports for the encryption and decryption of packets between the network peers. The egress SA specifies which keys or parameters are to be used for encrypting the packets that leave the switch. The ingress SA specifies which keys or parameters are to be used to decrypt the packets entering that particular port.
This section covers the following topics:
Configuring ESP on Ingress Port
To configure SA to the ingress hardware, follow these steps:
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel will apply the configuration on all members of the portchannel. |
Step 3 |
switch(config-if)# f csp esp manual |
Enters the ESP configuration submode. |
Step 4 |
switch(config-if-esp)# ingress-sa spi_number |
Configures the SA to the ingress hardware. |
Step 5 |
switch (config-if-esp)# no ingress-sa spi_number |
Removes the SA from the ingress hardware. |
Configuring ESP on Egress Ports
To configure SA to the egress hardware, follow these steps:
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel will apply the configuration on all members of the portchannel. |
Step 3 |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode. |
Step 4 |
switch(config-if-esp)# egress-sa spi_number |
Configures the SA to the egress hardware. |
Step 5 |
switch(config-if)# no fcsp esp manual |
Removes the SA from the ingress and egress hardware. |
Note To apply the SA to the ingress and egress hardware of an interface, the interface needs to be in the admin shut mode.
Configuring ESP Modes
Configure the ESP settings for the ports as GCM to enable message authentication and encryption or as GMAC to enable message authentication.
The default ESP mode is AES-GCM.
This section covers the following topics:
Configuring AES-GCM
To configure the AES-GCM mode, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel would apply the configuration on all members of the portchannel. |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode to configure the ESP settings on each port. |
Step 5 |
switch(config-if-esp)# mode gcm |
Sets the GCM mode for the interface. |
Configuring AES-GMAC
To configure AES-GMAC mode, follow these steps:
|
|
|
Step 1 |
switch# config t |
Enters the configuration mode. |
Step 2 Step 3 Step 4 |
switch(config)# interface fc x/y |
Configures the FC interface on slot x, port y. Note Selecting a portchannel would apply the configuration on all members of the portchannel. |
switch(config-if)# fcsp esp manual |
Enters the ESP configuration submode to configure the ESP settings on each port. |
Step 5 |
switch(config-if-esp)# mode gmac |
Sets the GMAC mode for the interface. |
Step 6 |
switch(config-if-esp)# no mode gmac |
Removes the GMAC mode from the interface and applies the default AES-GCM mode. |
Note The ESP modes are set only after a SA is configured to either the ingress or the egress hardware. If SA has not been configured, ESP is turned off and encapsulation does not occur.
Note An ESP mode change always needs a port flap because the change is not seamless if it is done after you configure the port; although the configurations are not rejected.
To configure ESP settings using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select FC-SP (DHCHAP).
You see the FC-SP configuration in the Information pane.
Step 2 Click the ESP Interfaces tab.
You see the Interface details for each switch (see Figure 10-4).
Figure 15-6 ESP Interfaces Tab
Step 3 Click the Create Row icon.
You see the Create ESP Interfaces dialog box (see Figure 10-2).
Figure 15-7 Create ESP Interfaces
Step 4 Select the switches on which you want to perform an encryption.
Step 5 Enter an interface for the selected switch.
Step 6 Select the appropriate ESP mode for the encryption.
Step 7 Enter the appropriate egress port for the encryption.
Step 8 Enter the appropriate ingress port for the encryption.
Step 9 Click Create to save the changes.
To configure ESP settings using Device Manager, follow these steps:
Step 1 Expand Switches > Security and then select FC-SP.
You see the FC-SP configuration dialog box.
Step 2 Click the ESP Interfaces tab.
You see the Interface details for each switch (see Figure 15-8).
Figure 15-8 ESP Interfaces Tab
Step 3 Click Create.
You see the Create FC-SP ESP Interfaces dialog box (see Figure 15-9).
Figure 15-9 Create ESP Interfaces
Step 4 Enter an interace for any switch for encryption. Alternatively, you can select values from the available interfaces for the selected switch (see Figure 15-10).
Figure 15-10 Available Interfaces
Step 5 Select the appropriate ESP mode for the encryption.
Step 6 Enter the appropriate egress port for the encryption.
Step 7 Enter the appropriate ingress port for the encryption.
Step 8 Click Create to save the changes.
Configuring ESP Using ESP Wizard
You can configure and set up link-level encryption between switches, using Fabric Manager. You can configure an existing Inter-Switch Link (ISL) as a secure ISL or edit an existing secure ingress SPI and egress SPI using this wizard.
To configure ESP using ESP wizard, follow these steps:
Step 1 Right-click Tools > Security> FC-SP ESP Link Security to launch the ESP wizard from Fabric Manager (see Figure 15-11).
Figure 15-11 Launching FC-SP ESP Wizard
Step 2 Select the appropriate ISL to secure or edit security (see Figure 15-12).
Note Only ISLs with FC-SP port mode turned on and available on ESP capable switches or blades are displayed.
Figure 15-12 Select ISL To Secure
Step 3 Create new Security Associations (SAs) (see Figure 15-13).
Figure 15-13 Create Security Associations
You can create a new SA for each switch or use the existing SAs. You can click View Existing SA to view the existing SAs.
Note The existing list of SAs displays all existing SAs for a switch. The wizard runs only when a pair of switches have a common SA. The wizard checks for this requirement when you select Next and a warning message is displayed if a pair of switches do not have a common SA. You must create a common SA on the pair of the switches to run this wizard.
Step 4 Specify the Egress port, Ingress port, and ESP mode for the selected ISL, as seen in Figure 15-14.
The Egress and Ingress ports are auto populated with SPIs of the SAs common to a pair of switches incase of a secured ISL.
In this scenario, the mode is disabled and you cannot edit the modes for a secured ISL.
Figure 15-14 Specify SPIs for ISLs
Note You can modify an existing ESP configuration provided the selected ISLs are enabled.
Step 5 Review your configuration as seen in Figure 15-15.
Figure 15-15 Complete ESP Setup
Step 6 Click Finish to start the configuration for the ESP setup. You can view the status of the configuration in the status column.
Viewing Cisco TrustSec FC Link Encryption Information
You can view information about the Cisco TrustSec FC Link Encryption feature using the show commands Fabric Manager or Device Manager.
This section covers the following topics:
Viewing FC-SP Interface Information
Use the show fcsp interface command to show all FC-SP-related information for a specific interface.
switch# show fcsp interface fc7/41
fcsp authentication mode:SEC_MODE_OFF
programmed ingress SA: 300, 303
programmed egress SA: 300
Status:FC-SP protocol in progress
Viewing Running System Information
Use the show running-config fcsp command to show all the run-time information relevant to FC-SP. All details about ESP and configured interfaces are displayed. Use this command to determine which ports are using SA.
switch# show running-config fcsp
key 0x00000000000000000000000000123456
key 0x00000000000000000000000000123456
key 0x00000000000000000000000000123456
Viewing FC-SP Interface Statistics
Use the show fcsp interface statistics command to show all statistics related to DHCHAP and ESP for an interface. The ESP statistics shown depend on the ESP supported by the port ASIC.
switch# show fcsp interface fc3/31 statistics
fcsp authentication mode:SEC_MODE_ON
programmed ingress SA: 256, 257
programmed egress SA: 256
Status:Successfully authenticated
Authenticated using local password database
FC-SP Authentication Succeeded:17
FC-SP Authentication Failed:3
FC-SP Authentication Bypassed:0
FC-SP ESP SPI Mismatched frames:0
FC-SP ESP Auth failed frames:0
Viewing FC-SP Interace Statistics Using Fabric Manager
You can view the statistics data that displays the Encapsulating Security Protocol-ESP Security Parameter (SPI) mismatches and Interface-Encapsulating Security Protocol authentication failures information using Fabric Manager.
To view the ESP statistics for an interface using Fabric Manager, follow these steps:
Step 1 Expand Interfaces > FC Physical and then select FC-SP.
You see the FC-SP configuration in the Information pane.
Step 2 Click the FC-SP tab.
You see view the FC-SP statistics data in the Information pane (see Figure 15-16).
Figure 15-16 FC-SP Statistics in Fabric Manager
Step 3 Click Refresh to refresh the statistics data.
Viewing FC-SP Interface Statistics Using Device Manager
To view the ESP statistics for an interface using Device Manager, follow these steps:
Step 1 Choose Security > FC Physical and then select FC-SP.
You see the FC-SP configuration in the Information pane.
Step 2 Click the Statistics tab.
You see the statistics in the Information pane (see Figure 15-17).
Figure 15-17 FC-SP Statistics in Device Manager
Step 3 Click Refresh to refresh the statistics data.