Cisco Cisco MDS 9000 SAN-OS Software Release 2.1 Hoja De Datos
© 2004 Cisco Systems, Inc. All right reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com
Page 2 of 11
VSANs are supported across FCIP links between SANs, extending VSANs to include devices at a remote location. The Cisco MDS 9000
Family also implements trunking for VSANs. Trunking allows Inter-Switch Links (ISLs) to carry traffic for multiple VSANs on the same
physical link.
Inter-VSAN Routing
Data traffic can be transported between specific initiators and targets on different VSANs using Inter-VSAN Routing without merging VSANs
into a single logical fabric. Fibre Channel control traffic does not flow between VSANs, nor can initiators access any resources aside from the
ones designated with Inter-VSAN Routing. Valuable resources like tape libraries can be easily shared without compromise. Inter-VSAN
Routing can also be used in conjunction with FCIP to create more efficient business-continuity and disaster-recovery solutions.
Intelligent Fabric Services
The SAN-OS supports intelligent storage services. It forms a solid basis for delivering storage applications such as virtualization, snapshots,
and replication on Cisco MDS 9000 Family switches in the network. Thus, the flexibility of SAN-OS provides future investment protection.
NETWORK SECURITY
Cisco takes a comprehensive approach to network security with SAN-OS. In addition to VSANs, which provide true isolation of SAN-attached
devices, SAN-OS offers numerous additional security features.
Switch and Host Authentication
Fibre Channel Security Protocol (FC-SP) capabilities in the SAN-OS provide Switch-Switch and Host-Switch authentication for enterprise
wide fabrics. Diffie-Hellman extensions with Challenge Handshake Authentication Protocol (DH-CHAP) are used to perform authentication
locally in the Cisco MDS 9000 Family or remotely through RADIUS or TACACS+. If authentication fails, a switch or host cannot join the
fabric.
IP Security for FCIP and iSCSI
Traffic flowing outside the data center must be protected. The proven IETF standard IP Security (IPsec) capabilities in the SAN-OS offer secure
authentication, data encryption for privacy, and data integrity for both FCIP and iSCSI connections on the Cisco MDS 9000 Family
Multiprotocol Services Module and Cisco MDS 9216i Multilayer Fabric Switch. SAN-OS uses Internet Key Exchange Version 1 (IKEv1) and
IKEv2 protocols to dynamically set up security associations for IPsec using preshared keys for remote-side authentication.
Roles-Based Access Control
The SAN-OS provides roles-based access control (RBAC) for management access of the Cisco MDS 9000 Family command-line interface
(CLI) and Simple Network Management Protocol (SNMP). In addition to the two default roles in the switch, up to 64 user-defined roles can be
configured. Applications using SNMP Version 3 (SNMPv3), such as Cisco Fabric Manager, have full RBAC for switch features managed using
this protocol. The roles describe the access-control policies for various feature-specific commands on one or more VSANs. CLI and SNMP
users and passwords are also shared; only a single administrative account is required for each user.
Port Security and Fabric Binding
Port security locks down the mapping of an entity to a switch port. The entities can be hosts, targets, or switches that are identified through
worldwide name. This helps ensure unauthorized devices connecting to the switch port do not disrupt the SAN fabric. Fabric binding extends
port security to enable ISLs only between specified switches.