The Fibre Channel Security Protocol (FC-SP) provides switch-to-switch and hosts-to-switch authentication
to overcome security challenges for enterprise-wide fabrics. The Diffie-Hellman Challenge Handshake
Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco SAN
switches and other devices. DHCHAP consists of the CHAP protocol combined with the Diffie-Hellman
exchange.
With FC-SP, switches, storage devices, and hosts can prove their identity through a reliable and manageable
authentication mechanism. With FC-SP, Fibre Channel traffic can be secured per frame to prevent snooping
and hijacking even over untrusted links. A consistent set of policies and management actions are propagated
through the fabric to provide a uniform level of security across the entire fabric.
Port Security
The port security feature prevents unauthorized access to a switch port by binding specific world-wide names
(WWNs) that have access to one or more given switch ports.
When port security is enabled on a switch port, all devices connecting to that port must be in the port security
database and must be listed in the database as bound to a given port. If both of these criteria are not met, the
port will not achieve an operationally active state and the devices connected to the port will be denied access
to the SAN.
Fabric Binding
Fabric binding ensures Inter-Switch Links (ISLs) are enabled only between specified switches in the fabric
binding configuration, which prevents unauthorized switches from joining the fabric or disrupting the current
fabric operations. This feature uses the Exchange Fabric Membership Data (EEMD) protocol to ensure that
the list of authorized switches is identical in all of the switches in a fabric.
Fabric Configuration Servers
The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a repository
of configuration information of fabric elements. A management application is usually connected to the FCS
on the switch through an N port. Multiple VSANs constitute a fabric, where one instance of the FCS is present
per VSAN.
Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x
4
OL-30895-01
Overview
SAN Switching Overview