Cisco MDS 9120 - Fabric Switch Скачать руководство пользователя страница 1 | Manualshive

Страница: 1 / 16

background image

C H A P T E R

1-1

Cisco MDS 9000 Family NX-OS Storage Media Encryption Configuration Guide

OL-29289-01

1

Storage Media Encryption Overview

Encrypting storage media in the data center has become a critical issue. Numerous high profile incidents
of lost or stolen tape and disk devices have underscored the risk and exposure companies face when
sensitive information falls into the wrong hands. To satisfy the most demanding requirements, Cisco
MDS 9000 Family Storage Media Encryption (SME) for the Cisco MDS 9000 family switches offers a
highly scalable, reliable, and flexible solution that integrates encryption transparently as a fabric service
for Fibre Channel SANs.

This chapter provides an overview of the SME and the hardware and software requirements for the product.
It contains the following sections:

•

About SME, page 1-1

•

About MIBs, page 1-9

•

Software and Hardware Requirements, page 1-10

•

SME Prerequisites, page 1-13

•

SME Security Overview, page 1-14

About SME

The SME solution is a comprehensive network-integrated encryption service with enterprise-class key
management that works transparently with existing and new SANs. The innovative Cisco
network-integrated solution has numerous advantages over competitive solutions available today:

•

SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, SME
does not require rewiring or SAN reconfiguration.

•

Encryption engines are integrated on the Cisco MDS 9000 18/4-Port Multiservice Module
(MSM-18/4), the Cisco MDS 9222i Multiservice Module Switch, and the 16-Port Gigabit Ethernet
Storage Services Node (SSN-16), which eliminates the need to purchase and manage extra switch
ports, cables, and appliances.

•

Traffic from any virtual SAN (VSAN) can be encrypted using SME, enabling flexible, automated
load balancing through network traffic management across multiple SANs.

•

No additional software is required for provisioning, key, and user role management; SME is
integrated into Cisco DCNM for SAN (DCNM-SAN), which reduces operating expenses.

Note

When using SME, SSI images should not be loaded and installed on 18+4 cards and SSN-16. Also the
bootvar should not be set to load these images

1
2
3
...
»

Содержание MDS 9120 - Fabric Switch

Страница 1: ...n is a comprehensive network integrated encryption service with enterprise class key management that works transparently with existing and new SANs The innovative Cisco network integrated solution has numerous advantages over competitive solutions available today SME installation and provisioning are both simple and nondisruptive Unlike other solutions SME does not require rewiring or SAN reconfig...

Страница 2: ...rprise class Fibre Channel storage area network SAN fabric services Cisco has integrated encryption for data at rest as a transparent fabric service to take full advantage of this platform SME is a standards based encryption solution for heterogeneous disks tape libraries and virtual tape libraries SME is managed with Cisco DCNM SAN and a command line interface CLI for unified SAN management and s...

Страница 3: ...ion as an Approved Mode of Operation for FIPS 140 2 certification It uses a narrow block encryption algorithm and the standardization process for a wide block algorithm is currently in progress as 1619 2 Other encryption algorithms for consideration are LRW AES and AES CBS Draft versions of the IEEE 1619 standard had used LRW AES which was later replaced by XTS AES SME Roles SME services include t...

Страница 4: ...uired to recover the master key based on the user selection Unique key per tape for an SME tape cluster Unique key per LUN for an SME disk cluster Keys reside in clear text only inside a FIPS boundary Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC Disk keys are wrapped by the cluster master key and deactivated in the CKMC Option to store tape keys on tape...

Страница 5: ... and the clusters that are not connected but are not deactivated appear as offline The SME clusters that are deleted from the fabric appear as deactivated The high availability Cisco KMC server consists of a primary server and a secondary server When the primary server is unavailable the cluster connects to the secondary server and fails over to the primary server once the primary server is availa...

Страница 6: ...is considered when choosing a SME interface for a target If a target is connected to a switch that has no SME interface then the target is assigned to the least loaded available interface in the SME cluster In target based load balancing the load on an interface refers to the number of targets assigned to that interface Caution SME provides a load balancing CLI that allows you to rebalance the tar...

Страница 7: ... the SME operations and the SME KMC Administrator role where the administrator is responsible for the SME key management operations Storage Administrator An administrator who manages the SME operations SME KMC Administrator An administrator who is responsible for the SME key management operations SME Recovery Officer A data security officer entrusted with smart cards and the associated PINs Each s...

Страница 8: ...server is compressed and stored in the HR tape library Data from the email server is not encrypted when backed up to the dedicated email tape library Figure 1 3 SME Single Fabric Topology Note Tape devices should be connected to core switches such as an MDS 9500 Series switch or MDS 9222i switch running Cisco SAN OS Release 3 2 2c or later or Cisco NX OS Release 4 x or later Encryption and compres...

Страница 9: ...te then the node having the lowest node identifier node ID remains in the cluster while the other node leaves the cluster However when an ISSU is performed on a node having the lowest node identifier a complete loss of the cluster results since both the nodes leave the cluster This undesirable situation is addressed in a two node cluster as follows The upgrading node sends a message to the other n...

Страница 10: ...ater or Cisco NX OS Release 4 x or later for SME Tape All switches that include MSM 18 4 modules must be running Cisco SAN OS Release 3 2 2c or later or Cisco NX OS Release 4 x or later software for SME Tape DCNM SAN must be running Cisco NX OS Release 5 2 1 for SME Disk All Cisco MDS switches in the SME cluster enabled for disks must be running Cisco NX OS Release 5 2 1 All switches that include ...

Страница 11: ...signed to a single Fibre Channel Port The MSM 18 4 provides intelligent diagnostics protocol decoding and network analysis tools with the integrated Call Home capability Note Cisco MDS 9000 Series switches running Cisco SAN OS Release 3 2 2c or later or Cisco NX OS Release 4 x or later support the MSM 18 4 module for SME tape Cisco MDS 9000 Series switches running Cisco NX OS Release 5 2 1 support...

Страница 12: ...d in different octeons in a single SSN 16 module By running four separate concurrent applications on one module SSN 16 provides the following functions Provides better disaster recovery and continuity solutions for mission critical applications Minimizes the number of devices required which improves the reliability Consolidates the management with a single module which provides end to end visibili...

Страница 13: ...e SME cluster The smart card reader requires the smart card drivers that are included on the installation CD These must be installed on the management workstation where the reader is attached Note The smart card reader is supported on Windows only platforms This support includes only the Windows 4 64 bit and Windows XP 32 bit platforms For the newly installed smart card drivers to work efficiently...

Страница 14: ...cal unit number LUN zoning and read only LUNs must not be used for FC Redirect hosts and targets SME Security Overview SME transparently encrypts and decrypts data inside the storage environment without slowing or disrupting business critical applications In SME Tape SME generates a master key tape volume keys and tape keys The keys are encrypted in a hierarchical order the master key encrypts the...

Страница 15: ...n For example RADIUS and TACACS servers can be used to authenticate authorize and provide accounting AAA for SME administrators Management of SME can be limited to authorized administrators using role based access controls RBACs When communication occurs from the DCNM SAN to cluster nodes the secure shell SSHv2 protocol provides message integrity and privacy PKI certificates can be configured in t...

Страница 16: ...1 16 Cisco MDS 9000 Family NX OS Storage Media Encryption Configuration Guide OL 29289 01 Chapter 1 Storage Media Encryption Overview SME Security Overview ...

Отзывы:

Нет отзывов

Похожие инструкции для MDS 9120 - Fabric Switch

Vb-C60 - Ptz Network Camera

Бренд: Canon Страницы: 30

Бренд: GE Страницы: 93

Бренд: National Instruments Страницы: 5

Бренд: National Instruments Страницы: 76

Бренд: National Instruments Страницы: 34

S5120V3-EI Series

Бренд: H3C Страницы: 54

Бренд: Ublox Страницы: 116

Бренд: H3C Страницы: 116

Бренд: WHOOP Страницы: 26

Бренд: Cypress Semiconductor Страницы: 11

Бренд: T.A Страницы: 11

PARTNER PC CARD

Бренд: Avaya Страницы: 4

Speedway Revolution

Бренд: impinj Страницы: 60

Fan Tray 8820-S2-900

Бренд: Paradyne Страницы: 6

Бренд: Xmart Страницы: 8

ExpressBox2 EB2

Бренд: Magma Страницы: 74

Бренд: Pakedge Device & Software Страницы: 14

PG-Flex FLC-704

Бренд: PairGain Страницы: 20

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды