- Preface chapter
- New and changed information
- overview
- Configuring FIPS
- Configuring Users and Common Role
- Configuring Security Features on an External AAA Server
- Configuring IPv4 and IPv6 Access Control Lists
- Configuring Certificate Authorities and Digital Certificates
- Configuring IPsec Network Security
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Cisco TrustSec Fibre Channel Link Encryption
- Index
Security Configuration Guide, Cisco DCNM for SAN, Release 7.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- May 12, 2015
Chapter: Configuring Cisco TrustSec Fibre Channel Link Encryption
Configuring Cisco TrustSec Fibre Channel Link Encryption
This chapter provides an overview of the Cisco TrustSec Fibre Channel (FC) Link Encryption feature and describes how to configure and set up link-level encryption between switches.
Information About Cisco TrustSec FC Link Encryption
Cisco TrustSec FC Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption is now added to the peer authentication capability to provide security and prevent unwanted traffic interception. Peer authentication is implemented according to the FC-SP standard using the Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) protocol.
Note
Cisco TrustSec FC Link Encryption is currently only supported between Cisco MDS switches. This feature is not supported when you downgrade to software versions which do not have the Encapsulating Security Protocol (ESP) support.
This section includes the following topics:
Supported Modules
The following modules are supported for the Cisco TrustSec FC Link Encryption feature:
Cisco TrustSec FC Link Encryption Terminology
The following Cisco TrustSec FC Link Encryption-related terms are used in this chapter:
- Galois Counter Mode (GCM)—A block cipher mode of operation providing confidentiality and data-origin authentication.
- Galois Message Authentication Code (GMAC)—A block cipher mode of operation providing only data-origin authentication. It is the authentication-only variant of GCM.
- Security Association (SA)—A connection that handles the security credentials and controls how they propagate between switches. The SA includes parameters such as salt and keys.
- Key—A 128-bit hexadecimal string that is used for frame encryption and decryption. The default value is zero.
- Salt —A 32-bit hexadecimal number that is used during encryption and decryption. The same salt must be configured on both sides of the connection to ensure proper communication. The default value is zero.
- Security Parameters Index (SPI) number—A 32-bit number that identifies the SA to be configured to the hardware. The range is from 256 to 4,294,967,295.
Support for AES Encryption
The Advanced Encryption Standard (AES) is the symmetric cipher algorithm that provides a high-level of security, and can accept different key sizes.
The Cisco TrustSec FC Link Encryption feature supports the 128-bit AES for security encryption and enables either AES-GCM or AES-GMAC for an interface. The AES-GCM mode provides encryption and authentication of the frames and AES-GMAC provides only the authentication of the frames that are being passed between the two peers.
Guidelines and Limitations
This section lists the guidelines for Cisco TrustSec FC Link Encryption:
- Ensure that Cisco TrustSec FC Link Encryption is enabled only between MDS switches. This feature is supported only on E-ports or the ISLs, and errors will result if non-MDS switches are used.
- Ensure that the peers in the connection have the same configurations. If there are differences in the configurations, a “port re-init limit exceeded” error message is displayed.
- Before applying the SA to the ingress and egress hardware of a switch interface, ensure that the interface is in the admin shut mode.
Configuring Cisco TrustSec Fibre Channel Link Encryption
This section includes the following topics:
- Enabling Cisco TrustSec FC Link Encryption
- Setting Up Security Associations
- Setting Up Security Association Parameters
Enabling Cisco TrustSec FC Link Encryption
By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches in the Cisco MDS 9000 Family.
You must explicitly enable the FC-SP feature to access the configuration and verification commands for fabric authentication and encryption. When you disable this feature, all related configurations are automatically discarded.
Detailed Steps
To enable FC-SP for a Cisco MDS switch, follow these steps:
|
|
|
|
|---|---|---|
Setting Up Security Associations
To perform encryption between the switches, a security association (SA) needs to be set up. An administrator manually configures the SA before the encryption can take place. The SA includes parameters such as keys and salt, that are required for encryption. You can set up to 2000 SAs in a switch.
Detailed Steps
To set up an SA between two switches, follow these steps:
|
|
|
|
|---|---|---|
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 4294967295. |
||
Deletes the SA between the switches.1 |
|
1.If the specified SA is currently programmed to the ports, this command returns an error saying that the SA is in use. |
To determine which ports are using the SA, use the show running-config fcsp command. Refer to the “Displaying Running System Information” section.
Note Cisco TrustSec FC Link Encryption is currently supported only on DHCHAP on and off modes.
Setting Up Security Association Parameters
Detailed Steps
To set up the SA parameters, such as keys and salt, follow these steps:
|
|
|
|
|---|---|---|
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 4294967295. |
||
Configures the salt for the SA. The range is from 0x0 to 0xffffffff. |
||
To set up the SA parameters, such as keys and salt, using DCNM-SAN, follow these steps:
Step 1 Expand Switches > Security, and then select FC-SP (DHCHAP).
You see the FC-SP configuration in the Information pane.
You see the SA parameters for each switch.
Step 3 Click the Create Row icon.
You see the Create SA Parameters dialog box.
Step 4 Select the switches on which you want to perform an encryption.
Step 5 Select a value for the SP. The range is from 256 to 65536.
Step 6 Enter a value for the salt. Alternatively, click Salt Generator to select a value
Step 7 Enter a value for the key. Alternatively, click Key Generator to select a value.
Step 8 Click Create to save the changes.
To set up the SA parameters, such as keys and salt, using Device Manager, follow these steps:
Step 1 Choose Switches > Security, and then select FC-SP.
You see the FC-SP configuration dialog box.
You see the SA parameters for each switch.
Step 3 Click Create to create new parameters.
You see the Create FC-SP SA dialog box.
Step 4 Select a value for the SP. The range is from 256 to 65536.
Step 5 Enter a value for the salt. Alternatively, click Salt Generator to select a value
Step 6 Enter a value for the key. Alternatively, click Key Generator to select a value.
Step 7 Click Create to save the changes.
Configuring ESP Settings
This section includes the following topics:
Configuring ESP on Ingress and Egress Ports
Once the SA is created, you need to configure Encapsulating Security Protocol (ESP) on the ports. You should specify the egress and ingress ports for the encryption and decryption of packets between the network peers. The egress SA specifies which keys or parameters are to be used for encrypting the packets that leave the switch. The ingress SA specifies which keys or parameters are to be used to decrypt the packets entering that particular port.
Configuring ESP on Ingress Port
Detailed Steps
To configure SA to the ingress hardware, follow these steps:
Removes the SA from the ingress hardware.2 |
|
2.If SA is not configured in the ingress port, then running this command returns an error message. |
Configuring ESP on Egress Ports
Detailed Steps
To configure SA to the egress hardware, follow these steps:
Removes the SA from the egress hardware.3 |
|
3.If SA is not configured in the egress port, then running this command returns an error message. |
Note To apply the SA to the ingress and egress hardware of an interface, the interface needs to be in the admin shut mode.
Configuring ESP Modes
Configure the ESP settings for the ports as GCM to enable message authentication and encryption or as GMAC to enable message authentication.
Configuring AES-GCM
Detailed Steps
To configure the AES-GCM mode, follow these steps:
|
|
|
|
|---|---|---|
Enters the ESP configuration submode to configure the ESP settings on each port. |
||
Configuring AES-GMAC
Detailed Steps
To configure AES-GMAC mode, follow these steps:
|
|
|
|
|---|---|---|
Enters the ESP configuration submode to configure the ESP settings on each port. |
||
Removes the GMAC mode from the interface and applies the default AES-GCM mode. |
Note The ESP modes are set only after a SA is configured to either the ingress or the egress hardware. If SA has not been configured, ESP is turned off and encapsulation does not occur.
Note An ESP mode change always needs a port flap because the change is not seamless if it is done after you configure the port; although the configurations are not rejected.
Detailed Steps
To configure ESP settings, follow these steps:
Step 1 Expand Switches > Security, and then select FC-SP (DHCHAP).
You see the FC-SP configuration in the Information pane.
Step 2 Click the ESP Interfaces tab.
You see the Interface details for each switch.
Step 3 Click the Create Row icon.
You see the Create ESP Interfaces dialog box.
Step 4 Select the switches on which you want to perform an encryption.
Step 5 Enter an interface for the selected switch.
Step 6 Select the appropriate ESP mode for the encryption.
Step 7 Enter the appropriate egress port for the encryption.
Step 8 Enter the appropriate ingress port for the encryption.
Step 9 Click Create to save the changes.
To configure ESP settings using Device Manager, follow these steps:
Step 1 Expand Switches > Security, and then select FC-SP.
You see the FC-SP configuration dialog box.
Step 2 Click the ESP Interfaces tab.
You see the Interface details for each switch.
You see the Create FC-SP ESP Interfaces dialog box.
Step 4 Enter an interace for any switch for encryption. Alternatively, you can select values from the available interfaces for the selected switch.
Step 5 Select the appropriate ESP mode for the encryption.
Step 6 Enter the appropriate egress port for the encryption.
Step 7 Enter the appropriate ingress port for the encryption.
Step 8 Click Create to save the changes.
Configuring ESP Using ESP Wizard
You can configure and set up link-level encryption between switches using ESP wizard. You can configure an existing Inter-Switch Link (ISL) as a secure ISL or edit an existing secure ingress SPI and egress SPI using this wizard.
Detailed Steps
To configure ESP using ESP wizard, follow these steps:
Step 1 Right-click Tools > Security> FC-SP ESP Link Security to launch the ESP wizard from DCNM-SAN.
Step 2 Select the appropriate ISL to secure or edit security.
Note Only ISLs with FC-SP port mode turned on and available on ESP- capable switches or blades are displayed.
Step 3 Create new Security Associations (SAs).
You can create a new SA for each switch or use the existing SAs. You can click View Existing SA to view the existing SAs.
Note The existing list of SAs displays all existing SAs for a switch. The wizard runs only when a pair of switches have a common SA. The wizard checks for this requirement when you select Next and a warning message is displayed if a pair of switches do not have a common SA. You must create a common SA on the pair of the switches to run this wizard.
Step 4 Specify the Egress port, Ingress port, and ESP mode for the selected ISL.
The Egress and Ingress ports are auto populated with SPIs of the SAs common to a pair of switches incase of a secured ISL.
In this scenario, the mode is disabled and you cannot edit the modes for a secured ISL.
Note You can modify an existing ESP configuration provided the selected ISLs are enabled.
Step 5 Review your configuration.
Step 6 Click Finish to start the configuration for the ESP setup. You can view the status of the configuration in the status column.
Changing Keys for Switches
After the SA is applied to the ingress and egress ports, you should change the keys periodically in the configuration. The keys should be changed sequentially to avoid traffic disruption.
As an example, consider that a security association has been created between two switches, Switch1 and Switch2. The SA is configured on the ingress and egress ports as shown in the following example:
Detailed Steps
To change the keys for these switches, follow these steps:
Step 1 Add a new SA on Switch1 and Switch2.
Step 2 Configure the ingress SA on Switch1.
Step 3 Configure the ingress and the egress SA on Switch2.
Step 4 Configure the egress SA on Switch1.
Step 5 Remove the previously configured ingress SA from both the switches.
Verifying Cisco TrustSec Fibre Channel Link Encryption Configuration
You can view information about the Cisco TrustSec FC Link Encryption feature using the show commands in DCNM-SAN or Device Manager.
|
|
|
|---|---|
Displays all FC-SP-related information for a specific interface. |
|
Displays all statistics related to DHCHAP and ESP for an interface. |
For detailed information about the fields in the output from these commands, refer to the Cisco MDS 9000 Family Command Reference.
This section has the following topics:
- “Displaying FC-SP Interface Information” section
- “Displaying Running System Information” section
- “Displaying FC-SP Interface Statistics” section
- Displaying FC-SP Interface Statistics
- Displaying FC-SP Interface Statistics Using Device Manager
Displaying FC-SP Interface Information
Use the show fcsp interface command to show all FC-SP-related information for a specific interface.
Displaying Running System Information
Use the show running-config fcsp command to show all the run-time information relevant to FC-SP. All details about ESP and configured interfaces are displayed. Use this command to determine which ports are using SA.
Displaying FC-SP Interface Statistics
Use the show fcsp interface statistics command to show all statistics related to DHCHAP and ESP for an interface. The ESP statistics shown depend on the ESP supported by the port ASIC.
Displaying FC-SP Interface Statistics
You can view the statistics data that displays the Encapsulating Security Protocol-ESP Security Parameter (SPI) mismatches and Interface-Encapsulating Security Protocol authentication failures information using DCNM-SAN.
To view the ESP statistics for an interface, follow these steps:
Step 1 Expand Interfaces > FC Physical, and then select FC-SP.
You see the FC-SP configuration in the Information pane.
You see view the FC-SP statistics data in the Information pane.
Step 3 Click Refresh to refresh the statistics data.
Displaying FC-SP Interface Statistics Using Device Manager
To view the ESP statistics for an interface using Device Manager, follow these steps:
Step 1 Choose Security > FC Physical, and then select FC-SP.
You see the FC-SP configuration in the Information pane.
Step 2 Click the Statistics tab.
You see the statistics in the Information pane.
Step 3 Click Refresh to refresh the statistics data.
Feedback