Cisco MDS 9000 Series Configuration Manual page 192

Configuring IPSec Network Security
Implementing IPsec with CAs and Digital Certificates
using IPsec services. Also, each new device added to the fabric will require manual configuration of the other
switches in the fabric to support secure communication. Each (see Figure 10: Two IPsec Switches Without
CAs and Digital Certificates, on page 174) switch uses the key of the other switch to authenticate the identity
of the other switch; this authentication always occurs when IPsec traffic is exchanged between the two switches.
If you have multiple Cisco MDS switches in a mesh topology and wish to exchange IPsec traffic passing
among all of those switches, you must first configure shared keys or RSA public keys among all of those
switches.
Figure 10: Two IPsec Switches Without CAs and Digital Certificates
Every time a new switch is added to the IPsec network, you must configure keys between the new switch and
each of the existing switches. (In Figure 11: Four IPsec Switches Without a CA and Digital Certificates, on
page 174), four additional two-part key configurations are required to add a single encrypting switch to the
network).
Consequently, the more devices that require IPsec services, the more involved the key administration becomes.
This approach does not scale well for larger, more complex encrypting networks.
Figure 11: Four IPsec Switches Without a CA and Digital Certificates
Implementing IPsec with CAs and Digital Certificates
With CA and digital certificates, you do not have to configure keys between all the encrypting switches.
Instead, you individually enroll each participating switch with the CA, requesting a certificate for the switch.
When this has been accomplished, each participating switch can dynamically authenticate all the other
participating switches. When two devices want to communicate, they exchange certificates and digitally sign
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
174