The standard software package that is bundled at no charge with Cisco MDS 9000 Family multilayer switches includes the base set of features that Cisco believes are required by most customers for building a storage area network (SAN). The Cisco MDS 9000 Family also has a set of advanced traffic-engineering and advanced security features that are recommended for all enterprise SANs. These features are bundled together in the Cisco MDS 9000 Family Enterprise Package.
Inter-VSAN Routing (IVR)
IVR allows selective transfer of data traffic between specific initiators and targets on different virtual SANs (VSANs) without merging VSANs into a single logical fabric. Fiber Channel control traffic does not flow between VSANs, nor can initiators access resources except the ones designated with IVR. In this way, IVR facilitates sharing of resources across VSANs without compromising the VSAN benefits of scalability, reliability, availability, and network security. IVR also works across WANs over the Fiber Channel Interface Protocol (FCIP). IVR can be used in conjunction with FCIP to create more efficient business-continuity and disaster-recovery solutions.
Small Computer System Inteface (SCSI) flow statistics
Logical unit number (LUN)-level SCSI flow statistics are collected for any combination of initiator and target. The scope of these statistics includes read, write, and error statistics. Switch-switch and host-switch authentication: Fiber Channel Security Protocol (FC-SP) capabilities in Cisco MDS 9000 NX-OS provide switch-switch and host-switch authentication. This feature helps eliminate disruptions that may occur because of unauthorized devices connecting to a large enterprise fabric.
This feature locks down the mapping of an entity to a switch port. The entity can be a host, target, or switch and is identified by its WWN. This feature helps ensure that SAN security is not compromised by connection of unauthorized devices to a switch port.
VSAN-based access control
This feature allows customers to define roles in which the scope of the roles is limited to certain VSANs. For example, a network administrator role can be set up to allow configuration of all platform-specific capabilities, and VSAN-administrator roles can be set up to allow configuration and management of only specific VSANs. VSAN-based access control reduces SAN disruptions by localizing the effects of user errors to the VSANs for which the user has administrative privileges.
IP Security (IPsec)
The proven IETF standard IPsec capabilities offer secure authentication, data encryption for privacy, and data integrity. Internet Key Exchange Version 1 (IKEv1) and IKEv2 protocols are used to dynamically set up the security associations for IPsec using preshared keys for remote-side authentication.
Digital certificates are issued by a trusted third party and are used as electronic passports to prove the identity of certificate owners. After the owner's identity is verified by the trusted third party, the certificate uses the owner's public encryption key to protect identity data contained in the certificate. On the Cisco MDS 9000 Family platform, digital certificates apply to IKE as well as to Secure Shell (SSH).
Fabric binding for open systems
Fabric binding helps ensure that Inter-Switch Links (ISLs) are enabled between switches that have been authorized in the fabric binding configuration. This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations.
Cisco TrustSec Fiber Channel Link EncyrptionProduct Highlights
Cisco TrustSec Fiber Channel Link Encryption helps ensure data integrity and privacy. Cisco TrustSec Fiber Channel Link Encryption is an extension of the Fiber Channel Security Protocol (FC-SP) feature and uses the existing FC-SP architecture. The encryption algorithm is 128-bit Advanced Encryption Standard (AES) and enables either AES Galois Counter Mode (GCM) or AES Galois Message Authentication Mode (GMAC) for an interface. AES-GCM mode provides encryption and authentication of the frames, and AES-GMAC provides the authentication of the frames that are being passed between the two E-ports.
- Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP)