CCIE DC: Fabric Security using FCSP (Fibre Channel Security Protocol) and Fabric Binding

Hi Guys!

Two relatively simple topics this time, again they are on the blueprint so we better know them for our CCIE DC :).


These two protocols are used to ensure that unauthorized device's cant join your fabric, the first (FCSP) can be used by both switch to switch and switch to host authentication using a password combination,

Let's start with FCSP

FCSP

(For the best reference on FCSP see the following URL: http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/fcspdh.html)
FCSP uses Diffie-Hellman CHAP to provide a password protected method to authenticate one switch to another, this can be done on a switch to switch or host to switch basis and is done on the actual port facing the switch.

There are only a few options you really have to worry about, the DHCHAP can be configured to use a hashing algorithim of SHA or MD5, and you can specify what DH Groups to use (0 to 5, and you can put them in order of preference, same with SHA and MD5)

On the actual interface you can configure the interface to require authentication, to actively negotiate it but allow the switch to join if it does not support auth, not actively negotiate FCSP but respond to it, or just keep FCSP off completely:

(kind of like a LACP port channel!)


switch(config-if)# fcsp ?
  auto-active   Configure the interface in auto-active authentication mode
  auto-passive  Configure the interface in auto-passive authentication mode
  esp           Configure ESP for an interface
  off           Configure the interface in off authentication mode
  on            Configure the interface in on authentication mode

FCSP is quite flexible, you can use it with radius if you desire using AAA methods:

switch(config)# aaa authentication ?
  dhchap  Configure methods for dhchap

It also supports a local-database of passwords, and you can have differing passwords for each switch you connect to which we will go through :)


Ok, so now we have the basic theory behind it, let's configure it!

First enable the feature:

switch(config)# feature fcsp

Next, go to your interface, shut it down and enable FCSP on the interface, we will then configure all the password info and THEN we will bring the interface up

So because the password stuff can get a little confusing, I am going to show an example first where i won't use proper WWN's to make the concept easier to understand :)


Take the config from Switch1 and Switch2 below:


Switch1:

fcsp dhchap password 7 f1wh0 20:00:00:0d:ec:2b:3c:40
fcsp dhchap devicename 20:00:00:0d:ec:2b:3c:40 password 7 wkWbatxm2


switch2:

fcsp dhchap password 7 wkWbatxm2 20:00:00:0d:ec:2d:4f:40
fcsp dhchap devicename 20:00:00:0d:ec:2d:4f:40 password 7 f1wh0


Kind of complicated to understand right? and the password 7 sure doesn't help ;)
Let's see if we can make it a bit clearer.

Let's call switch1 AA:AA and switch2 BB:BB, now look at the config:


Switch1:

fcsp dhchap password 7 f1wh0 BB:BB
fcsp dhchap devicename BB:BB password 7 wkWbatxm2


switch2:



So now, if you look at this line on switch1:
fcsp dhchap password 7 f1wh0 BB:BB

This line is saying, when switch BB:BB connects to me, I expect it to send the password 7 f1wh0
this next line:
fcsp dhchap devicename BB:BB password 7 wkWbatxm2

Has the switch saying "When I send an authentication message to switch BB:BB, use the password 7 wkWbatxm2


If we then look at the config on switch 2, what does it say:

fcsp dhchap password 7 wkWbatxm2 AA:AA
 
I.e. when switch AA:AA connects to me, i expect to see the password 7 wkWbatxm2

fcsp dhchap devicename AA:AA password 7 f1wh0

When I connect to switch AA:AA, i will send the password 7 f1wh0




Make sense? Hopefully

Now it's important to note that the WWN it expects to see in these passwords etc is the SWITCH WWN, Because FCSP is non-VSAN specific, so it's crucial you obtain the correct WWN with:


Switch1(config)# show wwn switch
Switch WWN is 20:00:00:0d:ec:2d:4f:40


This is crucial for FCSP! (Hence why I made it big and Red :))


Here is how to verify:

Switch1(config)# show fcsp dhchap
Supported Hash algorithms (in order of preference):
DHCHAP_HASH_MD5
DHCHAP_HASH_SHA_1

Supported Diffie Hellman group ids(in order of preference):
DHCHAP_GROUP_NULL
DHCHAP_GROUP_1536
DHCHAP_GROUP_1024
DHCHAP_GROUP_1280
DHCHAP_GROUP_2048


Switch1(config)# show fcsp dhchap database
DHCHAP Local Password:
        Non-device specific password:*****
        Password for device with WWN:20:00:00:0d:ec:2b:3c:40 is *****

Other Devices' Passwords:
        Password for device with WWN:20:00:00:0d:ec:2b:3c:40 is *********


Switch1(config)# show fcsp interface fc1/14

fc1/14:
        fcsp authentication mode:SEC_MODE_ON
        Status:Successfully authenticated
                Authenticated using local password database


Fabric Binding
Fabric Binding is luckily a simpler topic, basically all it is is a database of SWWN's that are allowed to join the fabric, note that you have to include your own SWWN in it (duh) and it will also distribute via the fabric, you just need to configure it on one device then activate it for all devices to get a copy, HOWEVER there is no enhanced mode etc so you won't be able to distribute the full database, think of it like basic zoning.

config)# feature fabric-binding
config)# fabric-binding database vsan 1
config-fabric-binding)# swwn 20:00:00:0d:ec:2d:4f:40
config-fabric-binding)# swwn 20:00:00:0d:ec:2b:3c:40

Note the best way to determine what to place into the swwn is the usual command:

show wwn switch
 

Once this is done, you need to activate:

Switch1(config)# fabric-binding activate vsan 1

You can see when there where violations or errors as per below:


Switch1# show fabric-binding violations
-------------------------------------------------------------------------------
VSAN Switch WWN [domain]            Last-Time [Repeat count]  Reason
-------------------------------------------------------------------------------
1    20:00:00:0d:ec:2b:3c:40 [*]    Aug 30 11:37:06 1981 [2]  sWWN not found
1    20:00:00:0d:ec:2b:3c:40 [*]    Aug 30 11:38:24 1981 [1]  Database mismatch
[Total 2 entries]

IMPORTANT NOTE:  This entry will show you the HISTORY of all the violations that have ever occured, so be sure to keep an eye on the TIME that the violation occured, it's not a list of current violations, another useful command is to display the fabric binding statistics:


Switch2(config-if)# show fabric-binding efmd statistics

EFMD Protocol Statistics for VSAN 1
----------------------------------------
Merge Requests -> Transmitted : 3 , Received : 2
Merge Accepts  -> Transmitted : 1 , Received : 1
Merge Rejects  -> Transmitted : 1 , Received : 1
Merge Busy     -> Transmitted : 0 , Received : 0
Merge Errors   -> Transmitted : 0 , Received : 0
 


By shutting/No shutting int's this is a bit of a more reliable way to determine if there has been a fabric violation.


Also, you can see that the database has been distributed over the fabric:

Switch1# show fabric-binding database active
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
1      20:00:00:0d:ec:2d:4f:40      0x1(1) [Local]
1      20:00:00:0d:ec:2b:3c:40        Any


Switch1 itself doesn't have a database configured, but the active database is there just like in fibre channel zoning


Switch1# show fabric-binding database
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------

As usual, you can copy it into the config if you desire:


Switch1# fabric-binding database ?
  copy  Copy active to config database
  diff  Difference in fabric-binding database

Switch1# fabric-binding database copy vsan 1