Send documentation comments to mdsfeedback-doc@cisco.com
44-2
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 44 Configuring IPsec Network Security
About IPsec
About IPsec
Note IPsec is not supported by the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric
Switch for IBM BladeCenter.
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating
IPsec devices (peers).
IPsec provides the following network security services. In general, the local security policy dictates the
use of one or more of these services between two participating IPsec devices:
• Data confidentiality—The IPsec sender can encrypt packets before transmitting them across a
network.
• Data integrity—The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that
the data has not been altered during transmission.
• Data origin authentication—The IPsec receiver can authenticate the source of the IPsec packets sent.
This service is dependent upon the data integrity service.
• Anti-replay protection—The IPsec receiver can detect and reject replayed packets.
Note The term data authentication is generally used to mean data integrity and data origin authentication.
Within this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification,
or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets,
extranets, and remote user access.
IPsec as implemented in Cisco NX-OS software supports the Encapsulating Security Payload (ESP)
protocol. This protocol encapsulates the data to be protected and provides data privacy services, optional
data authentication, and optional anti-replay services.
Note The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption.
Note When using IPsec and IKE, each Gigabit Ethernet interface on the IPS module (either on 14+2 LC or
18+4 LC) must be configured in its own IP subnet. If there are multiple Gigabit Ethernet interfaces
configured with IP address or network-mask in the same IP subnet, IKE packets may not be sent to the
right peer and thus IPsec tunnel will not come up.
Figure 44-1 shows different IPsec scenarios.
To Next Page
Loading...
Need help?
General
