CHAPTER
Send documentation comments to mdsfeedback-doc@cisco.com.
30-1
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
30

FC-SP and DHCHAP

Fibre Channel Security Protocol (FC-SP) capabilities provide switch-switch and host-switch
authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge
Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication
between Cisco MDS 9000 Family switches and other devices. It consists of the CHAP protocol
combined with the Diffie-Hellman exchange.
This chapter includes the following sections:
Fibre Channel Security Protocol, page 30-1
Configuring DHCHAP Authentication, page 30-3

Fibre Channel Security Protocol

All switches in the Cisco MDS 9000 Family enable fabric-wide authentication from one switch to
another switch, or from a switch to a host. These switch and host authentications are performed locally
or remotely in each fabric. As storage islands are consolidated and migrated to enterprise-wide fabrics
new security challenges arise. The approach of securing storage islands cannot always be guaranteed in
enterprise-wide fabrics. For example, in a campus environment with geographically distributed switches
someone could maliciously interconnect incompatible switches or you could accidentally do so,
resulting in Inter-Switch Link (ISL) isolation and link disruption. This need for physical security is
addressed by switches in the Cisco MDS 9000 Family (see Figure 30-1).