Page 1 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 3 Fibre Channel Common Transport Management Server Query Fabric Binding TrustSec Fibre Channel Link Encryption C H A P T E R 3 Configuring FIPS Configuration Guidelines Enabling FIPS Mode Displaying FIPS Status Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 4: Table Of Contents
Characteristics of Strong Passwords Configuring Users Logging Out Users Displaying User Account Information Default Settings C H A P T E R 5 Configuring Security Features on an External AAA Server Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 5 Configuring LDAP Server Groups Configuring the Global LDAP Timeout Interval Configuring the Timeout Interval for an LDAP Server Configuring the Global LDAP Server Port Configuring TCP Ports Configuring LDAP Search Maps Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 6 Displaying RADIUS Server Details Displaying RADIUS Server Statistics One-Time Password Support Recovering the Administrator Password Using the CLI with Network-Admin Privileges Power Cycling the Switch Configuring TACACS+ Server Monitoring Parameters About TACACS+ Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 7 About Configuring TACACS+ Server Groups About Bypassing a Nonresponsive Server AAA Server Distribution Enabling AAA RADIUS Server Distribution Enabling AAA TACACS+ Server Distribution Starting a Distribution Session on a Switch Displaying the Session Status Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 8 About IPv4 and IPv6 Access Control Lists IPv4-ACL and IPv6-ACL Configuration Guidelines About Filter Contents Protocol Information Address Information Port Information ICMP Information ToS Information Creating IPv4-ACLs or IPv6-ACLs Creating IPv4-ACLs Creating IPv6-ACLs Cisco MDS 9000 Series Security Configuration Guide, Release 8.x viii...
Page 9 Applying an IPv6-ACL to an Interface Applying an IP-ACL to mgmt0 Verifying Interface IP-ACL Configuration Open IP Ports on Cisco MDS 9000 Series Platforms IP-ACL Counter Cleanup C H A P T E R 7 Configuring Certificate Authorities and Digital Certificates...
Page 10 Specifying the SSH Key in Public Key Certificate in PEM Overwriting a Generated Key Pair Configuring the Maximum Number of SSH Login Attempts Clearing SSH Hosts Enabling SSH or Telnet Service Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 11 Configuring the Lifetime Association for a Policy Configuring the Keepalive Time for a Peer Configuring the Initiator Version Clearing IKE Tunnels or Domains Refreshing SAs Crypto IPv4-ACLs About Crypto IPv4-ACLs Crypto IPv4-ACL Guidelines Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 12 Configuring FC-SP and DHCHAP About Fabric Authentication DHCHAP DHCHAP Compatibility with Existing Cisco MDS Features About Enabling DHCHAP Enabling DHCHAP About DHCHAP Authentication Modes Configuring the DHCHAP Mode About DHCHAP Hash Algorithm Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 13 Configuring Port Security with Manual Database Configuration Enabling Port Security Port Security Activation Activating Port Security Database Activation Rejection Forcing Port Security Activation Database Reactivation Auto-learning About Enabling Auto-learning Enabling Auto-learning Disabling Auto-learning Auto-learning Device Authorization Cisco MDS 9000 Series Security Configuration Guide, Release 8.x xiii...
Page 14 C H A P T E R 1 3 Configuring Fabric Binding About Fabric Binding Licensing Requirements Port Security Versus Fabric Binding Fabric Binding Enforcement Fabric Binding Configuration Enabling Fabric Binding Configuring Switch WWN List for a FICON VSAN Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 15 Viewing Cisco TrustSec FC Link Encryption Information Viewing FC-SP Interface Information Viewing Running System Information Viewing FC-SP Interface Statistics Cisco TrustSec FC Link Encryption Best Practices General Best Practices Best Practices for Changing Keys Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 16 Contents Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 17 Preface This preface describes the audience, organization of, and conventions used in the Cisco MDS 9000 Series Configuration Guides. It also provides information on how to obtain related documentation, and contains the following chapters: • Audience, on page xvii •...
Page 18 What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
Page 19 Accounts, on page 24 Support SHA-2 by default. LDAP Enhancements LDAP connections on 8.2(1) Configuring LDAP Server port 636 automatically Hosts, on page 45 start securely with SSL or TLS. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 20 New and Changed Information Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 21 C H A P T E R Security Overview The Cisco MDS 9000 NX-OS software supports advanced security features that provide security within a Storage Area Network (SAN). These features protect your network against deliberate or unintentional disruptions from internal or external threats.
Page 22 Role-based authorization limits access to switch operations by assigning users to roles. All management access within the Cisco MDS 9000 Family is based upon roles. Users are restricted to performing the management operations that are explicitly permitted, by the roles to which they belong.
Page 23 Certificates. SSH Services Secure Shell (SSH) is a protocol that provides a secure, remote connection to the Cisco NX-OS CLI. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. You can use SSH keys for the following SSH options: •...
Page 24 251. TrustSec Fibre Channel Link Encryption Cisco TrustSec Fibre Channel Link Encryption is an extension of the Fibre Channel-Security Protocol (FC-SP) feature and uses the existing FC-SP architecture to provide integrity and confidentiality of transactions. Encryption is added to the peer authentication capability to provide security and prevent unwanted traffic interception.
Page 25 FIPS compliant. Note Cisco MDS SAN-OS Release 3.1(1) and NX-OS Release 4.1(1b) or later implements FIPS features and is currently in the certification process with the U.S. government, but it is not FIPS compliant at this time.
Page 26: Fips Self-Tests
Conditional self-tests must be run when an applicable security function or operation is invoked. Unlike the power-up self-tests, conditional self-tests are executed each time their associated function is accessed. Conditional self-tests include the following: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 27 • Pair-wise consistency test—This test is run when a public-private keypair is generated. • Continuous random number generator test—This test is run when a random number is generated. Both of these tests automatically run when a switch is in FIPS mode. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 28 Configuring FIPS FIPS Self-Tests Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 29: Common Roles
C H A P T E R Common Roles The CLI and SNMP use common roles in all Cisco MDS 9000 Series Switches. You can use the CLI to modify a role that was created using SNMP and vice versa.
Page 30: Configuring Roles And Profiles
A user not belonging to the network-admin role cannot perform commands related to roles. Note Regardless of the read-write rule configured for a user role, some commands can be executed only through the predefined network-admin role. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 31 5 permit show feature environment rule 4 permit show feature hardware rule 3 permit config feature ssh rule 2 permit config feature ntp -----------> Overridden rule rule 1 permit config feature tacacs+ Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 32: Behavior
Places you in role configuration submode for the existing role sangroup. Step 3 switch(config-role)# rule 1 permit config switch(config-role)# rule 2 deny config feature fspf switch(config-role)# rule 3 permit debug feature zone switch(config-role)# rule 4 permit exec feature fcping Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 33: Configuring The Vsan Policy
Configuring the VSAN Policy Configuring the VSAN policy requires the ENTERPRISE_PKG license (for more information, see the Cisco MDS 9000 Family NX-OS Licensing Guide). You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs.
Page 34: Role Distributions
VSAN 10 to 14, and 21 to 30. Role Distributions Role-based configurations use the Cisco Fabric Services (CFS) infrastructure to enable efficient database management and to provide a single point of configuration for the entire fabric.
Page 35: Locking The Fabric
Discarding Role-Based Configuration Changes If you discard (abort) the changes made to the pending database, the configuration database remains unaffected and the lock is released. To discard role-based configuration changes, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 36: Enabling Role-Based Configuration Distribution
Database Merge Guidelines Fabric merge does not modify the role database on a switch. If two fabrics merge, and the fabrics have different role databases, the software generates an alert message. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 37: Displaying Role-Based Information
Role: priv-14 Description: This is a system defined privilege role. Vsan policy: permit (default) Role: priv-13 Description: This is a system defined privilege role. Vsan policy: permit (default) Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 38: Displaying Roles When Distribution Is Enabled
Displaying Roles When Distribution is Enabled Use the show role command to display the configuration database. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 39 Use the show role pending-diff command to display the differences between the pending and configuration role database. See the following example. Displays the Differences Between the Two Databases switch# show role pending-diff +Role: myrole vsan policy: permit (default) --------------------------------------------- Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 40: Configuring Common Roles
Configuring Common Roles The CLI and SNMP in all switches in the Cisco MDS 9000 Family use common roles. You can use SNMP to modify a role that was created using the CLI and vice versa (see Figure 1: Common Roles, on page 22).
Page 41: Mapping Of Cli Operations To Snmp
Mapping of CLI Operations to SNMP You can create new roles or modify existing roles using SNMP or the CLI. • SNMP—Use the CISCO-COMMON-ROLES-MIB to configure or modify roles. Refer to the Cisco MDS 9000 Family MIB Quick Reference. • CLI—Use the role name command.
Page 42: Configuring User Accounts
• User passwords are not displayed in the switch configuration file. • The length of the password must be a minimum of eight characters for Cisco DCNM to discover a fabric. This restriction is applicable starting from Cisco DCNM Release 5.2(1).
Page 43: Checking Password Strength
• 2004AsdfLkj30 • Cb1955S21 Configuring Users To configure a new user or to modify the profile of an existing user, follow these steps: Procedure Step 1 switch# configure terminal Enters configuration mode. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 44: Logging Out Users
To log out another user on the switch, use the clear user command. In the following example, the user named vsam is logged out from the switch: switch# clear user vsam Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 45: Displaying User Account Information
The following table lists the default settings for all switch security features in any switch. Table 2: Default Switch Security Settings Parameters Default Roles in Cisco MDS Switches Network operator (network-operator) Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 46 5 seconds AAA server distribution Disabled VSAN policy for roles Permit User account No expiry (unless configured) Password None Password-strength Enabled Accounting log size 250 KB SSH service Enabled Telnet service Disabled Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 47: Configuring Security Features On An External Aaa Server
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols to provide solutions using remote AAA servers.
Page 48: Switch Management Security
Configuring Security Features on an External AAA Server Switch Management Security Switch Management Security Management security in any switch in the Cisco MDS 9000 Family provides security to all management access methods, including the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
Page 49: Switch Aaa Functionalities
ID and password combination provided by the entity trying to access the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Page 50: Remote Aaa Services
• Be sure to configure a desired local AAA policy as this policy is used if all AAA servers are not reachable. • AAA servers are easily reachable if an overlay Ethernet LAN is attached to the switch (see the Cisco Fabric Manager IP Services Configuration Guide and the Cisco MDS 9000 Family NX-OS Configuration Guide).
Page 51: Error-Enabled Status
Error-Enabled Status Caution Cisco MDS NX-OS supports user names that are created with alphanumeric characters or specific special characters (+ [plus], = [equal], _ [underscore], - [hyphen] , \ [backslash], and . [period]) whether created remotely (using TACACS+ or RADIUS) or locally, provided the user name starts with an alphabetical character.
Page 52: Aaa Server Monitoring
Authentication is the process of verifying the identity of the person managing the switch. This identity verification is based on the user ID and password combination provided by the person managing the switch. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 53: Configuring Role-Based Authorization On Tacacs+ Server
The following steps explain the authorization and authentication process: Procedure Step 1 Log in to the required switch in the Cisco MDS 9000 Family, using the Telnet, SSH, Fabric Manager or Device Manager, or console login options. Step 2 When you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group.
Page 54 Step 3 switch(config)# aaa authorization config-commands Enables authorization for all commands under config mode Layer2 and Layer3. Step 4 switch(config)# aaa authorization config-commands default group tac1 Enables specified TACACS+ server group authorization. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 55: Configuring Fallback Mechanism For Authentication
You can disable this fallback for both console and ssh/telnet login. Disabling this fallback will tighten the security of authentication. The CLI syntax and behavior is as follows: Procedure Step 1 switch# configure terminal Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 56: Verifying Authorization Profile
You can test the authorization settings for any command. To test the authorization of a command, use the test aaa authorization command-type command. switch(config)# test aaa authorization command-type commands user u1 command "feature dhcp" % Success Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 57: Configuring Login Parameters
Configuring Login Parameters Configuring Login Parameters Use this task to configure your Cisco MDS 9000 device for login parameters that helps to detect suspected DoS attacks and slow down dictionary attacks. All login parameters are disabled by default. You must enter the login block-for command, which enables default login functionality, before using any other login commands.
Page 58 The following sample output from the show login failures command verifies that no information is presently logged: switch# show login failures *** No logged failed login attempts with the device.*** Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 59: Configuring Aaa Server Monitoring Parameters Globally
The Global AAA Server Monitoring Parameters observe the following behavior: • When a new AAA server is configured it is monitored using the global test parameters, if defined. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 60: Configuring Ldap
LDAP protocol. Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. This section includes the following topics:...
Page 61: Guidelines And Limitations For Ldap
1. • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 62: Default Settings
Periodic server monitoring password Cisco Enabling LDAP By default, the LDAP feature is disabled on the Cisco NX-OS device. You must explicitly enable the LDAP feature to access the configuration and verification commands for authentication. To enable LDAP, follow these steps:...
Page 63: Configuring Ldap Server Hosts
Cisco NX-OS device. You can configure up to 64 LDAP servers. Note By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.
Page 64: Configuring Ldap Server Groups
You can create a group on the LDAP servers and also create a group with the exact same name on the Cisco MDS switch and then add users to the group. The user role attribute is inherited by the user from the group that is configured.
Page 65 (Optional) Displays the LDAP server group configuration. Step 9 switch# show run ldap (Optional) Displays the LDAP configuration. Step 10 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 66: Configuring The Global Ldap Timeout Interval
Configuring the Global LDAP Timeout Interval Configuring the Global LDAP Timeout Interval You can set a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all LDAP servers before declaring a timeout failure. To configure the global LDAP timeout interval, follow these steps:...
Page 67: Configuring The Global Ldap Server Port
Configuring the Global LDAP Server Port You can configure a global LDAP server port through which clients initiate TCP connections. By default, Cisco NX-OS devices use port 389 for all LDAP requests. To configure the global LDAP server port, follow these steps:...
Page 68: Configuring Tcp Ports
Configuring TCP Ports You can configure another TCP port for the LDAP servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 389 for all LDAP requests. To configure the TCP ports, follow these steps:...
Page 69 You can configure the dead-time interval for all LDAP servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.
Page 70 AAA authorization. The local method uses the local database for authorization. Step 3 switch(config)# exit switch# Exits configuration mode. Step 4 switch(config)# show aaa authorization (Optional) Displays the AAA authorization configuration. The all keyword displays the default values. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 71 (Optional) Copies the running configuration to the startup configuration. Example For detailed information about the fields in the output from this command, see the Cisco MDS 9000 Family Command Reference, Release 5.0(1a). Configuration Examples for LDAP...
Page 72: Configuring Radius Server Monitoring Parameters
Configuring RADIUS Server Monitoring Parameters Cisco MDS 9000 Family switches can use the RADIUS protocol to communicate with remote AAA servers. You can configure multiple RADIUS servers and server groups and set timeout and retry counts. RADIUS is a distributed client/server protocol that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
Page 73 2001:0DB8:800:200C::417A acct-port 2004 Specifies the destination UDP port number to which RADIUS accounting messages should be sent. The default accounting port is 1813, and the valid range is 0 to 65366. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 74 0 abcd Specifies a clear text key for the specified server. The key is restricted to 64 characters. Step 7 switch(config)# radius-server host radius2 key 4 da3Asda2ioyuoiuH Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 75 You can configure a global timeout value between transmissions for all RADIUS servers. Note If timeout values are configured for individual servers, those values override the globally configured values. To specify the timeout values between retransmissions to the RADIUS servers, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 76 This section includes the following topics: Configuring the Test Idle Timer The test idle timer specifies the interval during which a RADIUS server receives no requests before the MDS switch sends out a test packet. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 77 Configures the test user (testuser) with the default password (test). The default user name is test. Step 3 switch(config)# no radius-server host 10.1.1.1 test username testuser Removes the test user name (testuser). Step 4 switch(config)# radius-server host 10.1.1.1 test username testuser password Ur2Gd2BH Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 78 RADIUS configuration. Configuring the Test Idle Timer The test idle timer specifies the interval during which a RADIUS server receives no requests before the MDS switch sends out a test packet. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 79 About Validating a RADIUS Server As of Cisco SAN-OS Release 3.0(1), you can periodically validate a RADIUS server. The switch sends a test authentication to the server using the username and password that you configure. If the server does not respond to the test authentication, then the server is considered non responding.
Page 80 The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-avpair. The value is a string with the following format:...
Page 81 VSA Format protocol : attribute separator value * Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for mandatory attributes, and * (asterisk) is for optional attributes. When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results.
Page 82 The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default.
Page 83: One-Time Password Support
If you are logged in to, or can log into, switch with a user name that has network-admin privileges and then recover the administrator password, follow these steps: Procedure Step 1 Use the show user-accounts command to verify that your user name has network-admin privileges. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 84 To recover a administrator password by power cycling the switch, follow these steps: Procedure Step 1 For Cisco MDS 9500 Series switches with two supervisor modules, remove the supervisor module in slot 6 from the chassis. On the Cisco MDS 9500 Series, the password recovery procedure must be performed on the active Note supervisor module.
Page 85: Configuring Tacacs+ Server Monitoring Parameters
Configuring Security Features on an External AAA Server Configuring TACACS+ Server Monitoring Parameters Step 2 Power cycle the switch. Step 3 Press the Ctrl-] key sequence when the switch begins its Cisco NX-OS software boot sequence to enter the switch(boot)# prompt mode. Ctrl-] switch(boot)# Step 4 Change to configuration mode.
Page 86 TACACS+ server. Enabling TACACS+ By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for fabric authentication. When you disable this feature, all related configurations are automatically discarded.
Page 87 Configures the TACACS+ server identified by the specified domain name and assigns the secret key. Step 7 switch(config)# tacacs-server host 171.71.58.91 timeout 25 Configures the timeout period for the switch to wait for a response from the specified server before it declares a timeout failure. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 88 Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# tacacs-server host host1.cisco.com warning: no key is configured for the host Configures the TACACS+ server identified by the specified DNS name. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 89 Step 3 switch(config)# no tacacs-server key oldPword (Optional) Deletes the configured global secret key to access the TACACS+ server and reverts to the factory default of allowing access to all configured servers. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 90 Note Prior to Cisco MDS SAN-OS Release 2.1(2), you can use the dollar sign ($) in the key but the key must be enclosed in double quotes, for example “k$”. The percent sign (%) is not allowed. In Cisco MDS SAN-OS Release 2.1(2) and later, you can use the dollar sign ($) without double quotes and the percent sign (%) in...
Page 91 TACACS+ servers. You can use the default test username (test) and default password (test). To configure the optional username and password for periodic TACACS+ server status testing, follow these steps: Procedure Step 1 switch# configure terminal Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 92 TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes. (See the Configuring RADIUS Server Monitoring Parameters, on page 54 section). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 93 Password Aging Notification through TACACS+ Server Password aging notification is initiated when the user authenticates to a Cisco MDS 9000 switch via a TACACS+ account. The user is notified when a password is about to expire or has expired. If the password has expired, user is prompted to change the password.
Page 94 About Validating a TACACS+ Server As of Cisco SAN-OS Release 3.0(1), you can periodically validate a TACACS+ server. The switch sends a test authentication to the server using the test username and test password that you configure. If the server does not respond to the test authentication, then the server is considered nonresponding.
Page 95 Defining Custom Attributes for Roles Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure roles to which a user belongs. TACACS+ attributes are specified inname=value format. The attribute name for this custom attribute iscisco-av-pair. The following example illustrates how to specify roles using this attribute: cisco-av-pair=shell:roles=”network-admin vsan-admin”...
Page 96 Displaying TACACS+ Server Details Use the show aaa and show tacacs-server commands to display information about TACACS+ server configuration in all switches in the Cisco MDS 9000 Family as shown in the following examples. Displays Configured TACACS+ Server Information switch# show tacacs-server...
Page 97: Configuring Server Groups
The AAA server monitoring feature can mark an AAA server as dead. You can configure a period of time in minutes to elapse before the switch sends requests to a dead AAA server. (See the AAA Server Monitoring, on page 34 section). This section includes the following topics: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 98 Configures ServerA to be tried first within the server group called the RadiusServer1. If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 99 Creates a server group named TacacsServer1 and enters the submode for that group. Step 3 switch(config)# no aaa group server tacacs+ TacacsServer1 (Optional) Deletes the server group called TacacsServer1 from the authentication list. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 100: Aaa Server Distribution
About Bypassing a Nonresponsive Server As of Cisco SAN-OS Release 3.0(1), you can bypass a nonresponsive AAA server within a server group. If the switch detects a nonresponsive server, it will bypass that server when authenticating users. Use this feature to minimize login delays caused by a faulty server.
Page 101 Server group configurations are not distributed. This section includes the following topics: Note For an MDS switch to participate in AAA server configuration distribution, it must be running Cisco MDS SAN-OS Release 2.0(1b) or later, or Cisco NX-OS Release 4.1(1). Enabling AAA RADIUS Server Distribution Only switches where distribution is enabled can participate in the distribution activity.
Page 102 Displaying the Pending Configuration to be Distributed To display the RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer use the show radius pending command, follow these steps: switch(config)# show radius pending-diff Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 103 Discarding the distribution of a session in progress causes the configuration in the temporary buffer to be dropped. The distribution is not applied. To discard the RADIUS session in-progress distribution, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 104 • The server groups are not merged. • The server and global keys are not changed during the merge. • The merged configuration contains all servers found on all CFS enabled switches. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 105: Chap Authentication
A server running routing and Remote Access supports CHAP so that remote access clients that require CHAP are authenticated. CHAP is supported as an authentication method in this release. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 106: Mschap Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. Cisco MDS 9000 Family switches allow user logins to perform remote authentication using different versions of MSCHAP. MSCHAP is used for authentication on a RADIUS or TACACS+ server, while MSCHAPv2 is used for authentication on a RADIUS server.
Page 107 To enable MSCHAPv2 authentication, follow these steps: Procedure Step 1 switch# configure terminal Enters configuration mode. Step 2 switch(config)# aaa authentication login mschapv2 enable Enables MSCHAPv2 login authentication. Step 3 switch# no aaa authentication login mschapv2 enable Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 108: Local Aaa Services
Thu Dec 10 06:20:16 2009:type=stop:id=171.69.16.56@pts/1:user=admin:cmd=shell te rminated gracefully Thu Dec 10 06:20:20 2009:type=stop:id=console0:user=root:cmd=shell terminated gr acefully Thu Dec 10 06:29:37 2009:type=start:id=72.163.177.168@pts/1:user=admin:cmd= Thu Dec 10 06:29:42 2009:type=update:id=72.163.177.168@pts/1:user=admin:cmd=pwd (SUCCESS) Thu Dec 10 06:32:49 2009:type=start:id=72.163.190.8@pts/2:user=admin:cmd= Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 109: Configuring Accounting Services
Disabling AAA Authentication You can turn off password verification using the none option. If you configure this option, users can log in without giving a valid password. But the user should at least exist locally on the Cisco MDS 9000 Family switch.
Page 110 Fri Jan 16 21:58:17 1981:stop:snmp_348530297_171.71.150.105:admin: Fri Jan 16 21:58:18 1981:start:snmp_348530298_171.71.150.105:admin: Fri Jan 16 21:58:18 1981:stop:snmp_348530298_171.71.150.105:admin: Fri Jan 16 23:37:02 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group3 Fri Jan 16 23:37:26 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for group:TacacsServer1 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 111: Configuring Cisco Access Control Servers
Configuring Cisco Access Control Servers The Cisco Access Control Server (ACS) uses TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment.When using the AAA server, user management is normally done using Cisco ACS. Figure 4: Configuring the network-admin Role When Using RADIUS, on page...
Page 112 Configuring Security Features on an External AAA Server Configuring Cisco Access Control Servers Figure 4: Configuring the network-admin Role When Using RADIUS Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 113 Configuring Security Features on an External AAA Server Configuring Cisco Access Control Servers Figure 5: Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 114 Configuring Security Features on an External AAA Server Configuring Cisco Access Control Servers Figure 6: Configuring the network-admin Role with SNMPv3 Attributes When Using TACACS+ Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 115: Default Settings
Roles in Cisco MDS switches Network operator (network-operator) AAA configuration services Local Authentication port 1812 Accounting port 1813 Preshared key communication Clear text RADIUS server timeout 1 (one) second RADIUS server retries Once Authorization Disabled Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 116 RADIUS server directed requests Disabled TACACS+ Disabled TACACS+ servers None configured TACACS+ server timeout 5 seconds TACACS+ server directed requests Disabled AAA server distribution Disabled Accounting log size 250 KB Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 117 A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted or denied. Each Cisco MDS 9000 Series Switch can have a maximum total of 128 IPv4-ACLs or 128 IPv6-ACLs and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
Page 118: About Ipv4 And Ipv6 Access Control Lists
A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted or denied. Each switch in the Cisco MDS 9000 Family can have a maximum total of 128 IPv4-ACLs or 128 IPv6-ACLs and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
Page 119: About Filter Contents
For example, 0.0.255.255 requires an exact match of only the first 16 bits of the source. Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 120 • Specify the number of the port. Port numbers range from 0 to 65535. The following table displays the port numbers recognized by the Cisco NX-OS software for associated TCP and UDP ports. • Specify the name of a TCP or UDP port as follows: •...
Page 121 The following table displays the value for each ICMP type. Table 9: ICMP Type Value ICMP Type Code echo echo-reply destination unreachable traceroute time exceeded ICMP redirect packets are always rejected. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 122: Creating Ipv4-Acls Or Ipv6-Acls
Configures an IPv4-ACL called List1 and permits IP traffic from any source address to any destination address. Step 3 switch(config)# no ip access-list List1 permit ip any any (Optional) Removes the IPv4-ACL called List1. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 123: Creating Ipv6-Acls
Adds an entry to deny TCP traffic from any source address to any destination address. Defining IPv4-ACLs To define an IPv4-ACL that restricts management access, follow these steps: Procedure Step 1 switch# configure terminal Enters configuration mode. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 124: Defining Ipv6-Acls
Explicitly blocks all other IPv6 access. Operand and port options for an IPv4-ACL To use the operand and port options for an IPv4-ACL, follow these steps: Procedure Step 1 switch# configure terminal Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 125: Operand And Port Options For An Ipv6-Acl
List1 permit tcp 10.1.1.2 0.0.0.0 172.16.1.1 0.0.0.0 eq port http Permits TCP for HTTP traffic. Step 4 switch(config)# ip access-list List1 permit udp 10.1.1.2 0.0.0.0 172.16.1.1 0.0.0.0 Permits UDP for all traffic. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 126: Adding Ip Filters To An Existing Ipv6-Acl
Removes this entry from the IPv4-ACL (List2). Step 3 switch(config)# no ip access-list x3 deny ip any any Removes this entry from the IPv4-ACL (x3). Step 4 switch(config)# no ip access-list x3 permit ip any any Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 127: Removing Ip Filters From An Existing Ipv6-Acl
10.3.70.0 0.0.0.255 (7 matches) Displays Configured IPv6-ACLs Use the show ipv6 access-list command to view the contents of configured access filters. Each access filter can have several conditions. (See the following examples). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 128: Reading The Ip-Acl Log Dump
For the output ACL, the raw Layer 2 information is not logged. The following example is an input ACL log dump: Jul 17 20:38:44 excal-2 %KERN-7-SYSTEM_MSG: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 129: Applying An Ip-Acl To An Interface
• In—Traffic that arrives at the interface and goes through the switch; the source is where it transmitted from and the destination is where it is transmitted to (on the other side of the router). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 130: Applying An Ipv6-Acl To An Interface
Step 8 switch(config-if)# no ip access-group SampleName2 out Removes the IPv4-ACL called SampleName2 for egress traffic. Applying an IPv6-ACL to an Interface To apply an IPv6-ACL to an interface, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 131: Applying An Ip-Acl To Mgmt0
Verifying Interface IP-ACL Configuration Use the show interface command to display the IPv4-ACL configuration on an interface. switch# show interface mgmt 0 mgmt0 is up Internet address(es): 10.126.95.180/24 2001:420:54ff:a4::222:5dd/119 fe80::eaed:f3ff:fee5:d28f/64 Hardware is GigabitEthernet Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 132: Open Ip Ports On Cisco Mds 9000 Series Platforms
0 carrier errors Open IP Ports on Cisco MDS 9000 Series Platforms Cisco MDS 9000 Series platforms with default configurations have IP ports that are open on the external management interface. The table below lists the open ports and their corresponding services:...
Page 133: Ip-Acl Counter Cleanup
This port can be closed by disabling the cluster service. Refer to the Enabling and Disabling Clustering section of the Cisco MDS 9000 Family Storage Media Encryption Configuration Guide for details. License Manager—These ports are used by the License Manager service. This only for intraswitch use. It is not essential to provide external access to or from these ports.
Page 134 Use the clear ipv6 access-list name command to clear the counters for a specified IPv6-ACL. switch# clear ipv6 access-list List1 Note You cannot use this command to clear the counters for each individual filter. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 135 Default Settings, on page 154 About CAs and Digital Certificates Public Key Infrastructure (PKI) support provides the means for the Cisco MDS 9000 Family switches to obtain and use digital certificates for secure communication in the network. PKI support provides manageability and scalability for IPsec/IKE and SSH.
Page 136 CA, which consists of one key-pair and one identity certificate per CA. Cisco MDS NX-OS allows you to generate RSA key-pairs with a configurable key size (or modulus). The default key size is 512. You can also configure an RSA key-pair label. The default key label is the switch fully qualified domain name (FQDN).
Page 137 CA. 4. Receive the issued certificate back from the CA, signed with the CA’s private key. 5. Write the certificate into a nonvolatile storage area on the switch (bootflash). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 138 CAs locally and use them later if necessary until the CRLs expire. Cisco MDS NX-OS allows the manual configuration of pre-downloaded of CRLs for the trust points, and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by IPsec or SSH, the issuing CA’s CRL is consulted only if the CRL has already been cached locally and the revocation...
Page 139 CA certificate (or chain). Configuring CAs and Digital Certificates This section describes the tasks you must perform to allow CAs and digital certificates your Cisco MDS switch device to interoperate. This section includes the following sections: Configuring the Host Name and IP Domain Name You must configure the host name and IP domain name of the switch if they are not already configured.
Page 140 Declares a trust point CA that the switch should trust and enters trust point configuration submode. The maximum number of trust points you can declare on a switch is 16. Note Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 141 CA certificate chain is 10. To authenticate the certificate of the CA by cutting and pasting the certificate from an e-mail message or a website, follow these steps: Procedure Step 1 switch# configure terminal Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 142 Configuring Certificate Revocation Checking Methods During security exchanges with a client (for example, an IKE peer or SSH user), the Cisco MDS switch performs the certificate verification of the peer certificate sent by the client. The verification process may involve certificate revocation status checking.
Page 143 For security reasons your password will not be saved in the configuration. Please make a note of it. Password: nbv123 The subject name in the certificate will be: Vegas-1.cisco.com Include the switch serial number in the subject name? [yes/no]: no Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 144 (cut & paste) certificate in PEM format: -----BEGIN CERTIFICATE----- MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQUFADCBkDEgMB4G CSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYD VQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lz Y28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0w NTExMTIwMzAyNDBaFw0wNjExMTIwMzEyNDBaMBwxGjAYBgNVBAMTEVZlZ2FzLTEu Y2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/GNVACdjQu41C dQ1WkjKjSICdpLfK5eJSmNCQujGpzcuKsZPFXjF2UoiyeCYE8ylncWyw5E08rJ47 glxr42/sI9IRIb/8udU/cj9jSSfKK56koa7xWYAu8rDfz8jMCnIM4W1aY/q2q4Gb x7RifdV06uFqFZEgs17/Elash9LxLwIDAQABo4ICEzCCAg8wJQYDVR0RAQH/BBsw GYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwHQYDVR0OBBYEFKCLi+2sspWEfgrR bhWmlVyo9jngMIHMBgNVHSMEgcQwgcGAFCco8kaDG6wjTEVNjskYUBoLFmxxoYGW pIGTMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UE BhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4w DAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBh cm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6 Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6 Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyMENBLmNybDCBigYIKwYBBQUH Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 145 Ensuring Trust Point Configurations Persist Across Reboots The trust point configuration is a normal Cisco NX-OS configuration that persists across system reboots only if you copy it explicitly to the startup configuration. The certificates, key-pairs, and CRL associated with a trust point are automatically persistent if you have already copied the trust point configuration in the startup configuration.
Page 146 Imports the identity certificate and associated key-pair and CA certificates for trust point admin-ca from the file bootflash:adminid.p12 in PKCS#12 format, protected using password nbv123. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 147 Deletes the CA certificate or certificate chain. Step 4 switch(config-trustpoint)# delete certificate Deletes the identity certificate. Step 5 switch(config-trustpoint)# delete certificate force Forces the deletion of the identity certificate. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 148 Step 3 switch(config)# end switch# Returns to EXEC mode. Step 4 switch# copy running-config startup-config Copies the running configuration to the startup configuration to ensure the configuration is persistent across reboots. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 149 Displays information about CA trust points. Example Configurations This section shows an example of the tasks you can use to configure certificates and CRLs on the Cisco MDS 9000 Family switches using the Microsoft Windows Certificate server. This section includes the following topics:...
Page 150 -----BEGIN CERTIFICATE----- MIIC4jCCAoygAwIBAgIQBWDSiay0GZRPSRIljK0ZejANBgkqhkiG9w0BAQUFADCB kDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklO MRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UE ChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBD QTAeFw0wNTA1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcN AQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUth cm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEG A1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcN AQEBBQADSwAwSAJBAMW/7b3+DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXI OzyBAgiXT2ASFuUOwQ1iDM8rO/41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8E BAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJyjyRoMbrCNMRU2OyRhQ GgsWbHEwawYDVR0fBGQwYjAuoCygKoYoaHR0cDovL3NzZS0wOC9DZXJ0RW5yb2xs L0FwYXJuYSUyMENBLmNybDAwoC6gLIYqZmlsZTovL1xcc3NlLTA4XENlcnRFbnJv bGxcQXBhcm5hJTIwQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB BQUAA0EAHv6UQ+8nE399Tww+KaGr0g0NIJaqNgLh0AFcT0rEyuyt/WYGPzksF9Ea NBG7E0oN66zex0EOEfG1Vs6mXp1//w== -----END CERTIFICATE----- END OF INPUT Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12 Do you accept this certificate? [yes/no]:y Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 151 Step 10 Import the identity certificate. Vegas-1(config)# crypto ca import myCA certificate input (cut & paste) certificate in PEM format: -----BEGIN CERTIFICATE----- MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQUFADCBkDEgMB4G CSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYD VQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lz Y28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0w NTExMTIwMzAyNDBaFw0wNjExMTIwMzEyNDBaMBwxGjAYBgNVBAMTEVZlZ2FzLTEu Y2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/GNVACdjQu41C dQ1WkjKjSICdpLfK5eJSmNCQujGpzcuKsZPFXjF2UoiyeCYE8ylncWyw5E08rJ47 glxr42/sI9IRIb/8udU/cj9jSSfKK56koa7xWYAu8rDfz8jMCnIM4W1aY/q2q4Gb x7RifdV06uFqFZEgs17/Elash9LxLwIDAQABo4ICEzCCAg8wJQYDVR0RAQH/BBsw GYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwHQYDVR0OBBYEFKCLi+2sspWEfgrR Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 152 Save the certificate configuration to the startup configuration. Vegas-1# copy running-config startup-config Downloading a CA Certificate To download a CA certificate from the Microsoft Certificate Services web interface, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 153 Services web interface and click the Next button. Step 2 Select the CA certificate file to download from the displayed list. Click the Base 64 encoded radio button, and choose the Download CA certificate link. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 154 Downloading a CA Certificate Step 3 Click the Open button in the File Download dialog box. Step 4 Click the Copy to File button in the Certificate dialog box and click OK. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 155 Select the Base-64 encoded X.509 (CER) on the Certificate Export Wizard dialog box and click Next. Step 6 Enter the destination file name in the File name: text box on the Certificate Export Wizard dialog box and click Next. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 156 Display the CA certificate stored in Base-64 (PEM) format using the Microsoft Windows type command. Requesting an Identity Certificate To request an identify certificate from a Microsoft Certificate server using a PKCS#10 certificate signing request (CRS), follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 157 Procedure Step 1 Choose the Request a certificate radio button on the Microsoft Certificate Services web interface and click Next. Step 2 Choose the Advanced request radio button and click Next. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 158 Paste the base64 PKCS#10 certificate request in the Saved Request text box and click Next. The certificate request is copied from the MDS switch console (see Generating Certificate Requests, on page Configuring Certificates on the MDS Switch, on page 131). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 159 Configuring Certificate Authorities and Digital Certificates Requesting an Identity Certificate Step 5 Wait one or two days until the certificate is issued by the CA administrator. Step 6 The CA administrator approves the certificate request. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 160 Choose the Check on a pending certificate radio button on the Microsoft Certificate Services web interface and click Next. Step 8 Select the certificate request you want to check and click Next. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 161 Configuring Certificate Authorities and Digital Certificates Requesting an Identity Certificate Step 9 Select Base 64 encoded and click the Download CA certificate link. Step 10 Click Open on the File Download dialog box. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 162 X.509 (.CER) radio button on the Certificate Export Wizard dialog box and click Next. Step 12 Enter the destination file name in the File name: text box on the Certificate Export Wizard dialog box, then click Next. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 163 Step 14 Display the identity certificate in base64-encoded format using the Microsoft Windows type command. Revoking a Certificate To revoke a certificate using the Microsoft CA administrator program, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 164 Click the Issued Certificates folder on the Certification Authority tree. From the list, right-click the certificate you want to revoke. Step 2 Select All Tasks > Revoke Certificate. Step 3 Select a reason for the revocation from the Reason code drop-down list, and click Yes. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 165 Click the Revoked Certificates folder to list and verify the certificate revocation. Generating and Publishing the CRL To generate and publish the CRL using the Microsoft CA administrator program, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 166 Procedure Step 1 Select Action > All Tasks > Publish on the Certification Authority screen. Step 2 Click Yes on the Certificate Revocation List dialog box to publish the latest CRL. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 167 Choose Request the CA certificate or certificate revocation list radio button on the Microsoft Certificate Services web interface and click Next. Step 2 Click the Download latest certificate revocation list link. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 168 Configuring Certificate Authorities and Digital Certificates Downloading the CRL Step 3 Click Save in the File Download dialog box. Step 4 Enter the destination file name in the Save As dialog box and click Save. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 169 Vegas-1(config)# crypto ca crl request myCA bootflash:aparnaCA.crl Vegas-1(config)# Step 3 Display the contents of the CRL. Vegas-1(config)# show crypto ca crl myCA Trustpoint: myCA CRL: Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 170 Serial Number: 16DB4F8F000000000012 Revocation Date: Aug 16 21:53:15 2005 GMT Serial Number: 261C3924000000000013 Revocation Date: Aug 16 21:53:15 2005 GMT Serial Number: 262B5202000000000014 Revocation Date: Jul 14 00:33:10 2005 GMT Serial Number: 2634C7F2000000000015 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 171 The following table lists the maximum limits for CAs and digital certificate parameters. Table 11: Maximum Limits for CA and Digital Certificate Feature Maximum Limit Trust points declared on a switch RSA key-pairs generated on a switch Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 172 Table 12: Default CA and Digital Certificate Parameters Parameters Default Trust point None RSA key-pair None RSA key-pair label Switch FQDN RSA key-pair modulus RSA key-pair exportable Revocation check method of trust point Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 173: Ssh Services
Configuring SSH Services A secure SSH connection, with rsa key is available as default on all Cisco MDS 9000 Series Switches. If you require a secure SSH connection with a dsa key, you need to disable the default SSH connection, generate a...
Page 174: Generating The Ssh Server Key Pair
SSH server key pair according to the SSH client version used. The number of bits specified for each key pair ranges from 768 to 2048. Starting from Cisco MDS NX-OS Release 8.2(1), the minimum RSA key size in FIPS mode should be 2048 bits.
Page 175: Specifying The Ssh Key
Enters configuration mode. Step 3 switch(config)# username admin sshkey file bootflash:secsh_file.pub Specifies the SSH key for the user account (admin). Step 4 switch(config)# no username admin sshkey file bootflash:secsh_file.pub Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 176: Overwriting A Generated Key Pair
Step 2 switch(config)# ssh key dsa 768 Example: ssh key dsa 512 dsa keys already present, use force option to overwrite them switch(config)# ssh key dsa 512 force deleting old dsa key..Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 177: Configuring The Maximum Number Of Ssh Login Attempts
SSH login attempts value to more than 1. Step 3 (Optional) show running-config security all Displays the configured maximum number of SSH login attempts. Example: switch(config)# show running-config security all Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 178: Clearing Ssh Hosts
Please contact your system administrator. Add correct host key in /mnt/pss/.ssh/known_hosts to get rid of this message. Offending key in /mnt/pss/.ssh/known_hosts:2 RSA1 host key for 10.10.1.1 has changed and you have requested strict checking. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 179: Enabling Ssh Or Telnet Service
Use the show ssh server command to display the status of the SSH protocol (enabled or disabled) and the versions that are enabled for that switch (see the following example). switch# show ssh server ssh is enabled version 1 enabled version 2 enabled Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 180: Ssh Authentication Using Digital Certificates
(see the follwoing example). Note From Cisco MDS NX-OS Release 8.2(1), the fingerprint value displayed in the output of the show ssh key [rsa | dsa] command will be in SHA-2 value, as SHA-2 value is considered to be secure...
Page 181: Passwordless File Copy And Ssh
(Optional) Deletes the public and private RSA keys for the account (admin). Step 4 switch# show username admin keypair Example: ************************************** rsa Keys generated: Thu Jul 9 11:10:29 2009 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 182 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 183 Appends the public key stored in key_rsa.pub to the authorized_keys file on the SCP server. The passwordless ssh/scp is then enabled from the switch to this server using the standard ssh and scp commands. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 184 Configuring SSH Services Passwordless File copy and SSH Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 185 (IETF). IPsec provides security services at the IP layer, including protecting one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The overall IPsec implementation is the latest version of RFC 2401. Cisco NX-OS IPsec implements RFC 2402 through RFC 2410.
Page 186: About Ipsec
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers). Note IPsec is not supported by the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric Switch for IBM BladeCenter. IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet.
Page 187: About Ike
Figure 9: FCIP and iSCSI Scenarios Using MPS-14/2 Modules About IKE IKE automatically negotiates IPsec security associations and generates keys for all switches using the IPsec feature. Specifically, IKE provides these benefits: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 188: Ipsec Prerequisites
• Supports a manageable, scalable IPsec configuration. • Allows dynamic authentication of peers. Note IKE is not supported on the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric Switch for IBM BladeSystem. IPsec Prerequisites To use the IPsec feature, you need to perform the following tasks: •...
Page 189 SA. When using IKE to establish the SAs, the SPI for each SA is a pseudo-randomly derived number. • Peer—A switch or other device that participates in IPsec. For example, a Cisco MDS switch or other Cisco routers that support IPsec.
Page 190 Note Cisco NX-OS images with strong encryption are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com.
Page 191: Ipsec Digital Certificate Support
Implementing IPsec Without CAs and Digital Certificates Without a CA and digital certificates, enabling IPsec services (such as encryption) between two Cisco MDS switches requires that each switch has the key of the other switch (such as an RSA public key or a shared key).
Page 192 IPsec traffic is exchanged between the two switches. If you have multiple Cisco MDS switches in a mesh topology and wish to exchange IPsec traffic passing among all of those switches, you must first configure shared keys or RSA public keys among all of those switches.
Page 193 (CRL), which each peer may check before accepting a certificate from another peer. Certificate support for IKE has the following considerations: • The switch FQDN (host name and domain name) must be configured before installing certificates for IKE. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 194: Manually Configuring Ipsec And Ike
Fabric Manager initializes IKE when you first configure it. You cannot disable IKE if IPsec is enabled. If you disable the IKE feature, the IKE configuration is cleared from the running configuration. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 195 To configure the IPsec domain, follow these steps: Procedure Step 1 switch# configure terminal switch(config)# Enters configuration mode. Step 2 switch(config)# crypto ike domain ipsec switch(config-ike-ipsec)# Allows IKE configurations for IPsec domains. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 196 An IKE tunnel is a secure IKE session between two endpoints. IKE creates this tunnel to protect IKE messages used in IPsec SA negotiations. Two versions of IKE are used in the Cisco NX-OS implementation. • IKE version 1 (IKEv1) is implemented using RFC 2407, 2408, 2409, and 2412.
Page 197 Configures the identity mode for the IKE protocol to use the fully-qualified domain name (FQDN). The FQDN is required for using RSA signatures for authentication. Note Step 5 switch(config-ike-ipsec)# no identity Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 198 (Optional) Defaults to SHA. Step 18 switch(config-ike-ipsec-policy)# authentication pre-share Configures the authentication method to use the preshared key (default). Step 19 switch(config-ike-ipsec-policy)# authentication rsa-sig Configures the authentication method to use the RSA signature. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 199: Optional Ike Parameter Configuration
• If the switch on one side of an FCIP tunnel is running MDS SAN-OS Release 3.0(1) or later, or Cisco NX-OS 4.1(1b) and the switch on the other side of the FCIP tunnel is running MDS SAN-OS Release 2.x, configuring IKEv1 on either side (or both) results in the FCIP tunnel using IKEv1.
Page 200 When IPsec implementations in the host prefer to initiate the IPsec rekey, be sure to configure the IPsec lifetime value in the Cisco MDS switch to be higher than the lifetime value in the host. This section includes the following topics:...
Page 201 Configures the switch to use IKEv1 when initiating IKE with device 10.10.10.0 Note IKE supports IPv4 addresses, not IPv6 addresses. Step 4 switch(config-ike-ipsec)# no initiator version 1 address 10.10.10.1 (Optional) Defaults to IKEv2 for the specified device. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 202: Crypto Ipv4-Acls
Use the crypto ike domain ipsec rekey IPv4-ACL-index command to refresh the SAs after performing IKEv2 configuration changes. Crypto IPv4-ACLs IP access control lists (IPv4-ACLs) provide basic network security to all switches in the Cisco MDS 9000 Family. IPv4 IP-ACLs restrict IP-related traffic based on the configured IP filters. See About IPv4 and IPv6 Access Control Lists for details on creating and defining IPv4-ACLs.
Page 203 • The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto map entry and apply the crypto map set to the interface. • Different IPv4-ACLs must be used in different entries of the same crypto map set. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 204 • Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS 9216i Switch.
Page 205 This can happen in the case when an entry in one peer's IPv4-ACL is a subset of an entry in the other peer's IPv4-ACL, such as shown in cases 3 and 4 of Figure 14: IPsec Processing of Mirror Image Configuration, Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 206 Step 1 switch# configure terminal switch(config)# Enters configuration mode. Step 2 switch(config)# ip access-list List1 permit ip 10.1.1.100 0.0.0.255 11.1.1.100 0.0.0.255 Permits all IP traffic from and to the specified networks. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 207 Note When you enable IPsec, the Cisco NX-OS software automatically creates a default transform set (ipsec_default_tranform_set) using AES-128 encryption and SHA-1 authentication algorithms. The following table provides a list of allowed transform combinations for IPsec.
Page 208 If you configure the AES counter (CTR) mode, you must also configure the authentication algorithm. Starting from Cisco MDS NX-OS Release 5.2(2), the esp-aes-xcbc-mac authentication algorithm is not supported. The following table lists the supported and verified settings for IPsec and IKE encryption authentication...
Page 209 • The crypto map entries must have at least one transform set in common, where IKE negotiations are carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting a particular data flow. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 210 Note If the peer IP address specified in the crypto map entry is a VRRP IP address on a remote Cisco MDS switch, ensure that the IP address is created using the secondary option (see the Cisco MDS 9000 Family NX-OS IP Services Configuration Guide for more information).
Page 211 Enters configuration mode. Step 2 switch(config)# crypto map domain ipsec SampleMap 31 switch(config-crypto-map-ip)# Enters crypto map configuration submode for the entry named SampleMap with 31 as its sequence number. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 212 X to set up SAs with the switch. Each host will set up its own SA, but will share the crypto map entry. Without the auto-peer option, each host needs one crypto map entry. Sample iSCSI Configuration, on page 208 for more details. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 213 Directs the software to select (during the SA setup) the destination peer IP address dynamically. Step 4 switch(config-crypto-map-ip)# no set peer auto-peer (Optional) Deletes the auto-peer configuration. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 214 However, you cannot apply more than one crypto map set to each interface. Applying a Crypto Map Set To apply a crypto map set to an interface, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 215: Ipsec Maintenance
IPsec SAs. You can configure two lifetimes: timed or traffic-volume. An SA expires after the first of these lifetimes is reached. The default lifetimes are 3,600 seconds (one hour) and 450 GB. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 216 (in gigabytes) has passed through the FCIP link using the SA. The global lifetime ranges from 1 to 4095 gigabytes. Step 5 switch(config)# crypto global domain ipsec security-association lifetime kilobytes 2560 Configures the global traffic-volume lifetime in kilobytes. The global lifetime ranges from 2560 to 2147483647 kilobytes. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 217: Displaying Ike Configurations
Encr Hash Auth Method Lifetime ---------------------------------------------------------------------------------------- 172.22.31.165[500] 172.22.31.166[500] 3des sha1 preshared key 86400 172.22.91.174[500] 172.22.91.173[500] 3des sha1 preshared key 86400 ----------------------------------------------------------------------------------------- NOTE: tunnel id ended with * indicates an IKEv1 tunnel Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 218: Displaying Ipsec Configurations
Peer = Auto Peer IP ACL = acl10 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 Transform-sets: 3des-md5, des-md5, Security Association Lifetime: 4500 megabytes/3600 seconds PFS (Y/N): N Interface using crypto map set cm10: GigabitEthernet4/1 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 219 500 permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0 deny ip any any Policy Database for interface: GigabitEthernet4/2, direction: Both deny udp any port eq 500 any <-----------------------UDP default entry Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 220 Port vsan is 1 Speed is 1 Gbps Trunk vsans (admin allowed and active) (1) Trunk vsans (up) Trunk vsans (isolated) Trunk vsans (initializing) Using Profile id 1 (interface GigabitEthernet2/1) Peer Information Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 221 Inbound SA stats: 0 num, 512 max Outbound SA stats: 0 num, 512 max Displays the Global SA Lifetime Values switch# show crypto global domain ipsec security-association lifetime Security Association Lifetime: 450 gigabytes/3600 seconds Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 222: Sample Fcip Configuration
Configure the crypto map in Switch MDS A. sw10.1.1.100(config)# crypto map domain ipsec cmap-01 1 sw10.1.1.100(config-crypto-map-ip)# match address acl1 sw10.1.1.100(config-crypto-map-ip)# set peer 10.10.100.232 sw10.1.1.100(config-crypto-map-ip)# set transform-set tfs-02 sw10.1.1.100(config-crypto-map-ip)# set security-association lifetime seconds 3600 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 223 10.10.100.232 sw10.1.1.100# show crypto ike domain ipsec policy Priority 1, auth pre-shared, lifetime 86300 secs, encryption 3des, hash md5, DH group 1 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 224 10.10.100.232 sw11.1.1.100(config-profile)# int fcip 2 sw11.1.1.100(config-if)# peer-info ipaddr 10.10.100.231 sw11.1.1.100(config-if)# use-profile 2 sw11.1.1.100(config-if)# no shut sw11.1.1.100(config-if)# exit sw11.1.1.100(config)# exit Step 16 Verify the configuration in Switch MDS C. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 225 NOTE: tunnel id ended with * indicates an IKEv1 tunnel Step 17 Verify the configuration in Switch MDS A. sw10.1.1.100# show crypto sad domain ipsec interface: GigabitEthernet7/1 Crypto map tag: cmap-01, local addr. 10.10.100.231 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 226: Sample Iscsi Configuration
With auto-peer, only one crypto map is necessary to create SAs for all the hosts in the same subnet. Without auto-peer, you need one crypto map entry per host. Figure 17: iSCSI with End-to-End Ipsec Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 227: Default Settings
You have now configured IPsec in MDS A using the Cisco MDS IPsec and iSCSI features. Default Settings The following table lists the default settings for IKE parameters. Table 15: Default IKE Parameters...
Page 228 Table 16: Default IPsec Parameters Parameters Default IPsec Disabled. Applying IPsec to the traffic. Deny—allowing clear text. IPsec PFS Disabled. IPsec global lifetime (traffic-volume) 450 Gigabytes. IPsec global lifetime (time) 3,600 seconds (one hour). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 229 For example, in a campus environment with geographically distributed switches someone could maliciously interconnect incompatible switches or you could accidentally do so, resulting in Inter-Switch Link (ISL) isolation and link disruption. This need for physical security is addressed by switches in the Cisco MDS 9000 Family (see Figure 18: Switch and Host Authentication, on page 212 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 230 Note The terms FC-SP and DHCHAP are used interchangeably in this chapter. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 231 This section includes the following topics: DHCHAP Compatibility with Existing Cisco MDS Features This section identifies the impact of configuring the DHCHAP feature along with existing Cisco MDS features: • PortChannel interfaces—If DHCHAP is enabled for ports belonging to a PortChannel, DHCHAP authentication is performed at the physical interface level, not at the PortChannel level.
Page 232 Whenever DHCHAP port mode is changed to a mode other than the Off mode, reauthentication is performed. Changing DHCHAP port mode for a VE link requires a port flap on both the ends. The following table identifies the switch-to-switch authentication behavior between two Cisco MDS switches in various modes.
Page 233 Changes the DHCHAP authentication mode to auto-active for the selected interfaces and enables reauthentication every two hours (120 minutes) after the initial authentication. Step 7 switch(config-if)# fcsp auto-active Changes the DHCHAP authentication mode to auto-active for the selected interfaces. Reauthentication is disabled (default). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 234 About DHCHAP Hash Algorithm About DHCHAP Hash Algorithm Cisco MDS switches support a default hash algorithm priority list of MD5 followed by SHA-1 for DHCHAP authentication. If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Page 235 Configuring FC-SP and DHCHAP Configuring the DHCHAP Group Settings Refer to the fcsp dhchap dhgroup command in the Cisco MDS 9000 Series NX-OS Command Reference Guide for details about the groups. If you change the DH group configuration, change it globally for all switches in the fabric.
Page 236 We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to use a local password database, you can continue to do so using Approach 3 and using the Cisco MDS 9000 Family Fabric Manager to manage the password database.
Page 237 • The existing RADIUS and TACACS+ timeout values. • The same value must also be configured on all switches in the fabric. Configuring the DHCHAP Timeout Value To configure the DHCHAP timeout value, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 238 Use the show fcsp commands to display configurations for the local database (see the following examples). Displays DHCHAP Configurations in FC Interfaces switch# show fcsp interface fc1/9 fc1/9: fcsp authentication mode:SEC_MODE_ON Status: Successfully authenticated Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 239 Use the ASCII representation of the device WWN (identified in bold in Displays the ASCII Representation of the Device WWN example) to configure the switch information on RADIUS and TACACS+ servers. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 240 MDS-9216# show fcsp dhchap database DHCHAP Local Password: Non-device specific password:******* Other Devices' Passwords: Password for device with WWN:20:00:00:05:30:00:38:5e is ******* Step 7 Display the DHCHAP configuration in the Fibre Channel interface. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 241 A priority list of MD5 followed by SHA-1 for DHCHAP authentication DHCHAP authentication mode Auto-passive DHCHAP group default priority exchange order 0, 4, 1, 2, and 3 respectively DHCHAP timeout value 30 seconds Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 242 Configuring FC-SP and DHCHAP Default Settings Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 243 C H A P T E R Configuring Port Security All Cisco MDS 9000 Series Switches provide port security features that reject intrusion attempts and report these intrusions to the administrator. Note Port security is supported for Fibre Channel ports and Fibre Channel over Ethernet (FCoE) ports as fc-port-security.
Page 244 You can instruct the switch to automatically learn (auto-learn) the port security configurations over a specified period. This feature allows any switch in the Cisco MDS 9000 Family to automatically learn about devices and switches that connect to it. Use this feature when you activate the port security feature for the first time as it saves tedious manual configuration for each port.
Page 245 Port Security Activation Port Security Activation By default, the port security feature is not activated in any switch in the Cisco MDS 9000 Family. By activating the port security feature, the following apply: • Auto-learning is also automatically enabled, which means: •...
Page 246 Disable auto-learn on each VSAN. See the Disabling Auto-learning, on page 232. Step 5 Copy the running configuration to the startup configuration This saves the port security configure database to the startup configuration. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 247 Repeat Step 1 through Step 5 for all switches in the fabric. Enabling Port Security By default, the port security feature is disabled in all switches in the Cisco MDS 9000 Family. To enable port security, follow these steps: Procedure...
Page 248 You can view missing or conflicting entries using the port-security database diff active vsan command in EXEC mode. To forcefully activate the port security database, follow these steps: Procedure Step 1 switch# configure terminal switch(config)# Enters configuration mode. Step 2 switch(config)# port-security activate vsan 1 force Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 249 About Enabling Auto-learning The state of the auto-learning configuration depends on the state of the port security feature: • If the port security feature is not activated, auto-learning is disabled by default. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 250 Disables auto-learning and stops the switch from learning about new devices accessing the switch. Enforces the database contents based on the devices learned up to this point. Auto-learning Device Authorization The following table summarizes the authorized connection conditions for device requests. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 251 Condition Reason P1, N2, F1 Permitted No conflict. P2, N2, F1 Permitted No conflict. P3, N2, F1 Denied F1 is bound to P1/P2. P1, N3, F1 Permitted Wildcard match for N3. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 252 Permitted Wildcard ( * ) match for N3. Port Security Manual Configuration To configure port security on any switch in the Cisco MDS 9000 Family, follow these steps: Procedure Step 1 Identify the WWN of the ports that need to be secured.
Page 253 Configures any WWN to log in through the specified interfaces. Step 6 switch(config-port-security)# pwwn 20:11:00:33:11:00:2a:4a fwwn 20:81:00:44:22:00:4a:9e Configures the specified pWWN to only log in through the specified fWWN. Step 7 switch(config-port-security)# no pwwn 20:11:00:33:11:00:2a:4a fwwn 20:81:00:44:22:00:4a:9e Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 254 Port Security Configuration Distribution The port security feature uses the Cisco Fabric Services (CFS) infrastructure to enable efficient database management, provide a single point of configuration for the entire fabric in the VSAN, and enforce the port security policies throughout the fabric.
Page 255 • No other user can make any configuration changes to this feature. • A copy of the configuration database becomes the pending database. To display the CFS lock information, use the show cfs lock command. For more information, see the Cisco MDS 9000 Family Command Reference.
Page 256 If you discard (abort) the changes made to the pending database, the configuration remains unaffected and the lock is released. To display the CFS lock information, use the show cfs lock command. For more information, see the Cisco MDS 9000 Family Command Reference.
Page 257 The * (asterisk):autolearned entries * (asterisk) indicates learned entries. In this case, we recommend that you perform a commit at the end of each operation: after you activate port security and after you enable auto-learning. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 258 You can overwrite the configuration database with the active database using the port-security database copy vsan command. The port-security database diff active vsan command in EXEC mode lists the differences between the active database and the configuration database. This section includes the following topics: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 259 Copying the Port Security Database Use the port-security database copy vsan command to copy from the active to the configured database. If the active database is empty, this command is not accepted. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 260 VSAN. switch# clear port-security database auto-learn interface fc1/1 vsan 1 Use the clear port-security database auto-learn vsan command to clear any learned entries in the active database for the entire VSAN. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 261 1 -------------------------------------------------------------------------------- Vsan Logging-in Entity Logging-in Point (Interface) -------------------------------------------------------------------------------- 20:85:00:44:22:00:4a:9e (fc3/5) 20:11:00:33:11:00:2a:4a(pwwn) 20:81:00:44:22:00:4a:9e (fc3/1) [Total 2 entries] Displays the Activated Database switch# show port-security database active ---------------------------------------------------------------------------------------- Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 262 20:85:00:44:22:00:4a:9e vsan 1 Any port can login thru' this fwwn Displays the Configured fWWN Port Security in VSAN 1 switch# show port-security database fwwn 20:01:00:05:30:00:95:de vsan 1 20:00:00:0c:88:00:4a:e2(swwn) Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 263 Violations in the Port Security Database). Displays the Violations in the Port Security Database switch# show port-security violations ------------------------------------------------------------------------------------------ VSAN Interface Logging-in Entity Last-Time [Repeat count] ------------------------------------------------------------------------------------------ fc1/13 21:00:00:e0:8b:06:d9:1d(pwwn) 9 08:32:20 2003 [20] 20:00:00:e0:8b:06:d9:1d(nwwn) Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 264 The following table lists the default settings for all port security features in any switch. Table 23: Default Security Settings Parameters Default Auto-learn Enabled if port security is enabled. Port security Disabled Distribution Disabled. Note Enabling distribution enables it on all VSANs in the switch. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 265 (HBA) details of all the hosts connected in the fabric. Note In Cisco MDS NX-OS Release 6.2(9), the FC management feature is disabled by default. To enable FC management feature, use the fc-management enable command.
Page 266 The FC-management security feature has the following configuration guidelines: • When the FC-management security feature is enabled on a Cisco MDS switch, all management queries to the server are rejected unless the port world-wide name (pWWN) of the device that is sending management queries is added to FC-management database.
Page 267 To verify the if the FC-management security feature is enabled or not, use the show fc-management status command: switch# show fc-management status Mgmt Security Disabled Default Settings The following table lists the default settings for the FC management security feature in a Cisco MDS 9000 Family switch. Table 24: Default FC Management Settings Parameters Default...
Page 268 Configuring Fibre Channel Common Transport Management Security Default Settings Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 269 C H A P T E R Configuring Fabric Binding This chapter describes the fabric binding feature provided in the Cisco MDS 9000 Series Switches. It includes the following sections: • About Fabric Binding , on page 251 • Fabric Binding Configuration, on page 252 •...
Page 270 IDs to be part of the fabric binding active database. In a Fibre Channel VSAN, only the sWWN is required; the domain ID is optional. Note All switches in a Fibre Channel VSAN using fabric binding must be running Cisco MDS SAN-OS Release 3.0(1) and NX-OS Release 4.1(1b) or later. Fabric Binding Configuration To configure fabric binding in each switch in the fabric, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 271 The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled in all switches in the Cisco MDS 9000 Family. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch.
Page 272 Exits the fabric binding submode. Configuring Switch WWN List for a Fiber Channel VSAN To configure a list of sWWNs and optional domain IDs for a Fibre Channel VSAN, follow these steps: Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 273 For example, one of the already logged in switches may be denied login by the config-database. You can choose to forcefully override these situations. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 274 Activates the fabric binding database for the specified VSAN forcefully—even if the configuration is not acceptable. Step 3 switch(config)# no fabric-binding activate vsan 3 force (Optional) Reverts to the previously configured state or to the factory default (if no state is configured). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 275 Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN. switch(config)# no fabric-binding database vsan 10 Verifying Fabric Binding Configurations Use the show commands to display all fabric binding information configured on this switch (see the following examples). Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 276 61 -------------------------------------------------- Vsan Logging-in Switch WWN Domain-id -------------------------------------------------- 21:00:05:30:23:1a:11:03 0x19(25) 21:00:05:30:23:11:11:11 0x66(102) 20:00:00:05:30:00:2a:1e 0xef(239) [Local] [Total 3 entries] Displays Fabric Binding Statistics switch# show fabric-binding statistics Statistics For VSAN: 1 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 277 VSAN 1 :Activated database VSAN 4 :No Active database VSAN 61 :Activated database VSAN 345 :No Active database VSAN 346 :No Active database VSAN 347 :No Active database Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 278 -> Transmitted : 0 , Received : 0 Merge Rejects -> Transmitted : 0 , Received : 0 Merge Busy -> Transmitted : 0 , Received : 0 Merge Errors -> Transmitted : 0 , Received : 0 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 279 Configuring Fabric Binding Default Settings Default Settings The following table lists the default settings for the fabric binding feature. Table 26: Default Fabric Binding Settings Parameters Default Fabric binding Disabled Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 280 Configuring Fabric Binding Default Settings Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 281 Configuring Cisco TrustSec Fibre Channel Link Encryption This chapter provides an overview of the Cisco TrustSec Fibre Channel (FC) Link Encryption feature and describes how to configure and set up link-level encryption between switches. The chapter includes the following sections: •...
Page 282 9-12, 25-28, 41-44 base ports, and 57-60, 73-76 and 89-92 LEM ports as applicable. Enabling Cisco TrustSec FC Link Encryption By default, the FC-SP feature and the Cisco TrustSec FC Link Encryption feature are disabled in all switches in the Cisco MDS 9000 Family.
Page 283 Example Configuring the Cisco TrustSec FC Link Encryption feature requires the ENTERPRISE_PKG license. For more information, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide. Setting Up Security Associations To perform encryption between the switches, a security association (SA) needs to be set up. An administrator manually configures the SA before the encryption can take place.
Page 284 Running System Information, on page 270. Note Cisco TrustSec FC Link Encryption is currently supported only on DHCHAP on and off modes. Setting Up Security Association Parameters To set up the SA parameters, such as keys and salt, follow these steps:...
Page 285 Note Selecting a portchannel will apply the configuration on all members of the portchannel. If SA is not configured in the ingress port, then running this command returns an error message. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 286 Enters the ESP configuration submode to configure the ESP settings on each port. Step 4 switch(config-if-esp)# mode gcm If SA is not configured in the egress port, then running this command returns an error message. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 287 • Only ISLs with FC-SP port mode turned on and available on ESP capable switches or blades are displayed. • You can modify an existing ESP configuration provided the selected ISLs are enabled. Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 288 Viewing Cisco TrustSec FC Link Encryption Information Viewing Cisco TrustSec FC Link Encryption Information You can view information about the Cisco TrustSec FC Link Encryption feature using the show commands Fabric Manager or Device Manager. This section covers the following topics: Viewing FC-SP Interface Information Use the show fcsp interface command to show all FC-SP-related information for a specific interface.
Page 289 FC-SP ESP SPI Mismatched frames:0 FC-SP ESP Auth failed frames:0 Cisco TrustSec FC Link Encryption Best Practices Best practices are the recommended steps that should be taken to ensure the proper operation of Cisco TrustSec FC Link Encryption. This section covers the following topics:...
Page 290 257 Step 5 Remove the previously configured ingress SA from both the switches. switch# configure terminal switch(config)# interface fc1/1 switch(config-if)# fcsp esp manual switch(config-if)# no ingress-sa 256 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x...
Page 291 CLI to SNMP AES-XCBC-MAC CRLs 120, 124, 129, 147, 149 IPsec configuring authentication 31, 32, 211 configuring revocation checking methods fabric security description guidelines downloading example local generation example remote 31, 32 Cisco MDS 9000 Series Security Configuration Guide, Release 8.x IN-1...
Page 292 Diffie-Hellman protocol. See DH default settings digital certificates 117, 120, 121, 125, 126, 127, 128, 129, 130, 131, 138, 211, 213 FC-SP 145, 153, 162, 173, 175 authentication configuration example Cisco MDS 9000 Series Security Configuration Guide, Release 8.x IN-2...
Page 293 SAs displaying configuration terminology reading dump logs transforms for encryption removing entries 108, 109 177, 184 IKE domains verifying interface configuration clearing IPv6-ACLs configuring iSCSI description sample IPsec configuration Cisco MDS 9000 Series Security Configuration Guide, Release 8.x IN-3...
Page 294 226, 227, 231, 232, 238 port security auto-learning description device authorization disabling Open UDP and TCP Ports on Cisco MDS 9000 Series Platforms distributing configuration enabling guidelines for configuring with CFS 231, 243, 249 port security databases 25, 65, 217, 218...
Page 295 85, 86 184, 191, 193, 197, 199, 200 displaying information displaying for IKE enabling displaying global lifetime values enabling configuration distribution establishing between IPsec peers global keys Cisco MDS 9000 Series Security Configuration Guide, Release 8.x IN-5...
Page 296 15, 100, 213 ESP Modes compatibility with DHCHAP ESP Settings IP routing Information policies Security Association Parameters 62, 63 VSAs Security Associations communicating attributes Supported Modules protocol options Terminology WWNs port security Cisco MDS 9000 Series Security Configuration Guide, Release 8.x IN-6...

Cisco MDS 9000 Series Configuration Manual

Table of Contents

Configuring Security Features on an External Aaa Server

Configuring Ipv4 and Ipv6 Access Control Lists

Configuring Ssh Services

Configuring Ipsec Network Security

Quick Links

Chapters

Related Manuals for Cisco MDS 9000 Series

Summary of Contents for Cisco MDS 9000 Series

Table of Contents