IPsec Digital Certificate Support
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Figure 44-2
Cleartext
data
Every time a new switch is added to the IPsec network, you must configure keys between the new switch
and each of the existing switches. (In
required to add a single encrypting switch to the network.)
Consequently, the more devices that require IPsec services, the more involved the key administration
becomes. This approach does not scale well for larger, more complex encrypting networks.
Figure 44-3
Implementing IPsec with CAs and Digital Certificates
With CA and digital certificates, you do not have to configure keys between all the encrypting switches.
Instead, you individually enroll each participating switch with the CA, requesting a certificate for the
switch. When this has been accomplished, each participating switch can dynamically authenticate all the
other participating switches. When two devices want to communicate, they exchange certificates and
digitally sign data to authenticate each other. When a new device is added to the network, you simply
enroll that device with a CA, and none of the other devices needs modification. When the new device
attempts an IPsec connection, certificates are automatically exchanged and the device can be
authenticated.
Figure 44-4
Cisco MDS 9000 Family Fabric Manager Configuration Guide
44-8
Two IPsec Switches Without CAs and Digital Certificates
Encrypted data
Figure
Four IPsec Switches Without a CA and Digital Certificates
shows the process of dynamically authenticating the devices.
Chapter 44
Cleartext
data
44-3, four additional two-part key configurations are
OL-17256-03, Cisco MDS NX-OS Release 4.x
Configuring IPsec Network Security