The standard software package includes the base set of features that are required by most customers for building a storage area network (SAN). The Cisco MDS 9000 Family also has a set of advanced traffic-engineering and advanced security features that are recommended for all enterprise SANs. These features are bundled together in the Cisco MDS 9000 Family Enterprise package.
The Enterprise package includes the following advanced traffic-engineering features:
Inter-VSAN Routing allows selective transfer of data traffic between specific initiators and targets on different virtual SANs (VSANs) without merging VSANs into a single logical fabric. Fiber Channel control traffic does not flow between VSANs, nor can initiators access resources except for the ones designated with Inter-VSAN Routing. Thus, Inter-VSAN Routing facilitates sharing of resources across VSANs without compromising the VSAN benefits of scalability, reliability, availability, and network security. Inter-VSAN Routing also works across WANs over the Fiber Channel Interface Protocol (FCIP). Thus, Inter-VSAN Routing can also be used in conjunction with FCIP to create more efficient business-continuity and disaster-recovery solutions. With the introduction of Inter-VSAN Routing, Cisco has become the first vendor to provide routing capability for Fiber Channel networks in SAN switches.
The QoS feature in Cisco MDS 9000 Family SAN-OS allows traffic to be classified into four distinct levels for service differentiation. QoS can be applied to help ensure that Fiber Channel data traffic for latency-sensitive applications receives higher priority over throughput-intensive applications like data warehousing. Zone-based QoS included in the Enterprise package complements the standard QoS data-traffic classification by VSAN ID, N-Port worldwide name, or Fiber Channel identifier (FC-ID). Zone-based QoS helps simplify configuration and administration by using the familiar zoning concept.
The Extended Credits feature allows up to 3500 credits to be assigned to a single Fiber Channel port within a group of 4 Fiber Channel ports. Adding credits extends distances for Fiber Channel SAN extension. This feature is only available on the Cisco MDS 9000 Family Multiprotocol Services Module and Cisco MDS 9216i Multilayer Fabric Switch.
The Enterprise package includes the following enhanced network security features:
Switch-Switch and Host-Switch Authentication - Fiber Channel Security Protocol (FC-SP) capabilities in SAN-OS provide Switch-Switch and Host-Switch Authentication. This helps to eliminate disruptions that may occur because of unauthorized devices connecting to a large enterprise fabric. Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) is used to perform authentication locally in the Cisco MDS or remotely through RADIUS or TACACS+. If authentication fails, a switch or host cannot join the fabric.
Logical Unit Number (LUN) Zoning - Hardware-enforced LUN Zoning helps ensure LUNs are accessible only by specific hosts. Thus, LUN Zoning provides a single point of control for managing access to LUNs across heterogeneous storage subsystems.
Read-Only Zones - The Cisco MDS 9000 Family supports a type of SCSI command as a zoning attribute. In conjunction with other zoning attributes, when a SCSI command-type attribute is restricted to SCSI read commands, read-only zones can be created. This feature is especially useful for sharing volumes across servers for read-only operations for backup, data warehousing, etc.
Port Security feature locks down the mapping of an entity to a switch port. The entity can be a host, target, or switch and is identified by its worldwide name. This helps to ensure that SAN security is not compromised by unauthorized devices connecting to a switch port.
VSAN-Based Access Control feature allows customers to define roles where the scope of the roles is limited to certain VSANs. For example, a network administrator role can be set up to allow configuration of all platform-specific capabilities, while VSANadministrator roles can be set up to only allow configuration and management of specific VSANs. VSAN-Based Access Control reduces SAN disruptions by localizing the effects of user errors to the VSANs for which the user has administrative privileges.
IP Security (IPsec) is available for FCIP and Small Computer System Interface Over IP (iSCSI) over Gigabit Ethernet ports on the Multiprotocol Services modules and Cisco MDS 9216i. The proven IETF standard IPsec capabilities offer secure authentication, data encryption for privacy, and data integrity. Internet Key Exchange Version 1 (IKEv1) and IKEv2 protocols are used for dynamically setting up the security associations for IPsec using preshared keys for remote-side authentication.