DHCHAP Group Settings
All Cisco SAN switches support all DHCHAP groups specified in the standard: 0 (null DH group, which does
not perform the Diffie-Hellman exchange), 1, 2, 3, or 4.
If you change the DH group configuration, change it globally for all switches in the fabric.
Configuring the DHCHAP Group Settings
You can change the DH group settings.
DETAILED STEPS
PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
switch# configure terminal
switch(config)#
Step 1
Prioritizes the use of DH groups in the configured
order.
fcsp dhchap dhgroup [0 | 1 | 2 | 3 | 4]
Example:
switch(config)# fcsp dhchap dhgroup [0|1|2|3|4]
Step 2
Reverts to the DHCHAP factory default order of
0, 1, 2, 3 and 4.
no fcsp dhchap dhgroup [0 | 1 | 2| 3 | ]4]
Example:
switch(config)# no fcsp dhchap dhgroup [0|1|2|3|4]
Step 3
DHCHAP Password
DHCHAP authentication in each direction requires a shared secret password between the connected devices.
To do this, you can use one of three configurations to manage passwords for all switches in the fabric that
participate in DHCHAP:
• Configuration 1—Use the same password for all switches in the fabric. This is the simplest configuration.
When you add a new switch, you use the same password to authenticate that switch in this fabric. It is
also the most vulnerable configuration if someone from the outside maliciously attempts to access any
one switch in the fabric.
• Configuration 2—Use a different password for each switch and maintain that password list in each
switch in the fabric. When you add a new switch, you create a new password list and update all switches
with the new list. Accessing one switch yields the password list for all switches in that fabric.
Cisco Nexus 5000 Series NX-OS SAN Switching Configuration Guide, Release 5.2(1)N1(1)
OL-27583-01 245
Configuring FC-SP and DHCHAP
Configuring DHCHAP Authentication
To Next Page
Loading...
