Implementing Ipsec With Cas And Digital Certificates - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual

IPsec Digital Certificate Support
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Figure 37-2
Cleartext
data
Every time a new switch is added to the IPsec network, you must configure keys between the new switch
and each of the existing switches. (In
required to add a single encrypting switch to the network.)
Consequently, the more devices that require IPsec services, the more involved the key administration
becomes. This approach does not scale well for larger, more complex encrypting networks.
Figure 37-3

Implementing IPsec with CAs and Digital Certificates

With CA and digital certificates, you do not have to configure keys between all the encrypting switches.
Instead, you individually enroll each participating switch with the CA, requesting a certificate for the
switch. When this has been accomplished, each participating switch can dynamically authenticate all the
other participating switches. When two devices want to communicate, they exchange certificates and
digitally sign data to authenticate each other. When a new device is added to the network, you simply
enroll that device with a CA, and none of the other devices needs modification. When the new device
attempts an IPsec connection, certificates are automatically exchanged and the device can be
authenticated.
Figure 37-4
Cisco MDS 9000 Family CLI Configuration Guide
37-8
Two IPsec Switches Without CAs and Digital Certificates
Encrypted data
Four IPsec Switches Without a CA and Digital Certificates
shows the process of dynamically authenticating the devices.
Chapter 37
Figure 37-3, four additional two-part key configurations are
Configuring IPsec Network Security
Cleartext
data
OL-18084-01, Cisco MDS NX-OS Release 4.x