Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9513 with Supervisor 2 Director Switch

601

602

603

604

605

606

607

608

609

610

Send feedback to nx5000-docfeedback@cisco.com

44-3

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide

OL-16597-01

Chapter 44 Configuring FC-SP and DHCHAP

DHCHAP

DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both

switch-to-switch and host-to-switch authentication. DHCHAP negotiates hash algorithms and DH

groups before performing authentication. It supports MD5 and SHA-1 algorithm-based authentication.

To configure DHCHAP authentication using the local password database, perform this task:

Step 1 Enable DHCHAP.

Step 2 Identify and configure the DHCHAP authentication modes.

Step 3 Configure the hash algorithm and DH group.

Step 4 Configure the DHCHAP password for the local switch and other switches in the fabric.

Step 5 Configure the DHCHAP timeout value for reauthentication.

Step 6 Verify the DHCHAP configuration.

This section includes the following topics:

• DHCHAP Compatibility with Fibre Channel Features, page 44-3

• About Enabling DHCHAP, page 44-4

• Enabling DHCHAP, page 44-4

• About DHCHAP Authentication Modes, page 44-4

• Configuring the DHCHAP Mode, page 44-5

• About the DHCHAP Hash Algorithm, page 44-5

• Configuring the DHCHAP Hash Algorithm, page 44-6

• About the DHCHAP Group Settings, page 44-6

• Configuring the DHCHAP Group Settings, page 44-6

• About the DHCHAP Password, page 44-6

• Configuring DHCHAP Passwords for the Local Switch, page 44-7

• About Password Configuration for Remote Devices, page 44-7

• Configuring DHCHAP Passwords for Remote Devices, page 44-8

• About the DHCHAP Timeout Value, page 44-8

• Configuring the DHCHAP Timeout Value, page 44-8

• Configuring DHCHAP AAA Authentication, page 44-9

• Displaying Protocol Security Information, page 44-9

DHCHAP Compatibility with Fibre Channel Features

This section identifies the impact of configuring the DHCHAP feature along with existing Cisco NX-OS

features:

• SAN port channel interfaces—If DHCHAP is enabled for ports belonging to a SAN port channel,

DHCHAP authentication is performed at the physical interface level, not at the port channel level.

• Port security or fabric binding—Fabric-binding policies are enforced based on identities

authenticated by DHCHAP.