Cisco MDS 9000 Series Configuration Manual page 283

Configuring Cisco TrustSec Fibre Channel Link Encryption
You must explicitly enable the FC-SP feature to access the configuration and verification commands for fabric
authentication and encryption. When you disable this feature, all related configurations are automatically
discarded.
To enable FC-SP for a Cisco MDS switch, follow these steps:
Procedure
Step 1 switch# configure terminal
Enters configuration mode.
Step 2
switch(config)# feature fcsp
Enables the FC-SP feature.
Step 3 switch(config)# no feature fcsp
(Optional) Disables (default) the FC-SP feature in this switch.
Example
Configuring the Cisco TrustSec FC Link Encryption feature requires the ENTERPRISE_PKG license.
For more information, refer to the Cisco MDS 9000 Family NX-OS Licensing Guide.
Setting Up Security Associations
To perform encryption between the switches, a security association (SA) needs to be set up. An administrator
manually configures the SA before the encryption can take place. The SA includes parameters such as keys
and salt, that are required for encryption. You can set up to 2000 SAs in a switch.
To set up an SA between two switches, follow these steps:
Procedure
Step 1 switch# configure terminal
Enters configuration mode.
Step 2 switch(config)# fcsp esp sa spi_number
Enters into SA submode for configuring SAs. The range of spi_number is from 256 to 65536.
Step 3
switch(config)# no fcsp esp sa spi_number
(Optional) Deletes the SA between the switches.
6
If the specified SA is currently programmed to the ports, this command returns an error saying that the SA is in use.
6
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Setting Up Security Associations
265