C H A P T E R
16
Configuring FC-SP and DHCHAP
This chapter describes how to configure the Fibre Channel Security Protocol (FC-SP) and the Diffie-Hellman
Challenge Handshake Authentication Protocol (DHCP).
This chapter includes the following sections:
•
Information About FC-SP and DHCHAP, page 231
Information About FC-SP and DHCHAP
The Fibre Channel Security Protocol (FC-SP) capabilities provide switch-to-switch and host-to-switch
authentication to overcome security challenges for enterprise-wide fabrics. The Diffie-Hellman Challenge
Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between
Cisco SAN switches and other devices. DHCHAP consists of the CHAP protocol combined with the
Diffie-Hellman exchange.
Fabric Authentication
All Cisco SAN switches enable fabric-wide authentication from one switch to another switch, or from a switch
to a host. These switch and host authentications are performed locally or remotely in each fabric. As storage
islands are consolidated and migrated to enterprise-wide fabrics, new security challenges arise. The approach
of securing storage islands cannot always be guaranteed in enterprise-wide fabrics. For example, in a campus
environment with geographically distributed switches, someone could maliciously or accidentally interconnect
incompatible switches, resulting in Inter-Switch Link (ISL) isolation and link disruption.
Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x
OL-30895-01
231