Thursday, June 20, 2013

CCIE DC: Fibre Channel Port-Security

Hi Guys!

Next blog post, this one on the final bit of FC Security which is FC Port Security, I am not going to spend an inordinate amount of time on this, just enough to cover it off as it is in the blueprint :).


OK Let's go

First of all, we have been through a few fibre channel Security measures, let's look at what each one does and why it's so important

Zoning
This is the typical "Security" feature we are all used to on fibre channel switches, this basically allows us to restrict  which devices can talk to which on a SCSI Level, this is used mostly so that if a windows box or a linux box sees a partition for the other operating system, it doesn't think its an invalid partition and try and blow it away (well, it's used for lots of reasons to restrict access, but it's basically about restricting hosts from talking to storage they shouldn't)

Fabric Binding
This only allows certain switches to actually join the fabric and is configured fabric wide, so only certain switches (not hosts, but switches) are allowed into our fibre channel domain

Port-Security
Port security is restricting what PWWN, NWWN's are allowed onto that switch, you can further restrict it down to particular ports.

FC-SP
Fibre channel security protocol requires that a FC switch or host actually has to AUTHENTICATE to the switch before being allowed onto the fabric, it is not configured on a per VSAN basis but rather on a per-interface basis.

When you look at all three, it's difficult to distingush how they don't kind of overlap with each other in terms of functionality, but they don't:

Zoning is useful as a basic security mechanism, the problem with zoning is that while it prevents some hosts from seeing other hosts, it wouldn't prevent a host from joining the fabric and spewing out some sort of malicious messaging or performing some sort of fibre channel DOS, Fabric Binding might also appear to be not as important, but a simple DOS on a FC network might be to advertise loads and loads of switches joining the fabric, so much so that the number of available domain-id's might be exhausted (you can only have ~= 128 to 230 (depending on which vendor you talk to) switches in a fabric), another potential problem with just relying on zoning is that if a switch is added and declares itself the principal switch or starts mucking around with FSPF you could potentially have a device make itself part of the traffic flow and perform man in the middle, finally FC-SP which is probably the most secure of all protects the individual switch from allowing any devices that might be malicious from connecting to that switch at all, but your HBA or other switch might not support FC-SP

Ok, Moving on with Port-Security!

As always, I learnt most of what I am about to share with you from a nice Cisco document, have a look at that if you want a more in-depth discussion of port-security then I can do :).

http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/psec.html




So, How do we configure port-security? there are only a few steps, but as always with FC and the Nexus 5000, ORDER OF OPERATIONS IS _CRUCIAL_, this is ESPECIALLY true for port-security, which has some  quirks due to something called "auto-learning"

So, PWWN's, NWWN's and FWWN's, what do they all have in common? Ha ha well I am going to mention something maybe not as obvious: they are all bloody long and hard to type!

So Cisco in there infinite wisdom decided that hey, when it comes to FC Port security, we are going to implement a feature called "Auto-Learning", what will happen is, when you first enable port-security, we will go out and "learn" all the connected devices we have and place them into the active database, we will keep auto learning on indefinately until you turn it off.

So what this means is, the steps for enabling port-security (and actually have it, you know actually do anything useful :p) are as follows:

1. Enable the feature
2. Enable the port-security on the VSAN itself, auto learn will be on by default
3. Let the port-security learn all the active WWN's
4. you can copy the active database to your config database, and now you will have a copy of the port-security entries in your config database.
5. disable auto-learn so that something can't just come and plug in now (which would kind of defeat the purpose of port-security :))

Now the above steps get a bit more complicated when you start involving multiple switches and start using CFS, but that is the main process.

OK let's check out how to configure it, in this example I will go through a single switch, then we will go through the process if you want to distribute via CFS


Switch2(config)# feature port-security
ENTERPRISE_PKG license not installed. Port Security feature will be shut down after grace period of approximately 119 day(s).
Switch2(config)# port-security activate vsan 1
Switch2(config)# show port-security status
Fabric Distribution Disabled
VSAN 1 :Activated database, learning is enabled, No Session
 


Here you can see I have enabled the feature and activated it on the VSAN, just ignore my 119 days of license grace ;) (Does anyone know how you reset this license count btw? Can I just say "no license grace-period, license grace-period" to reset? or do i have to blow away the config? Any help greatly appreciated :).

Next I can see that there has been learnt database entries:

Switch2(config)# show port-security database active vsan 1
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*          Yes
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*          Yes
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*         Yes
[Total 3 entries]
 

Finally i need to copy the active database into the config database:

Switch2# port-security database copy vsan 1
 

Now I have a full database in my config:

Switch2# show port-security database
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*         
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*         
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*        
[Total 3 entries]


Switch2(config)# show run | sect port-security
feature port-security
port-security database vsan 1
  pwwn 50:01:10:a0:00:18:31:80 interface fc2/1
  pwwn 50:01:10:a0:00:18:31:e6 interface fc2/2
  swwn 20:00:00:0d:ec:2d:4f:40 interface fc1/14


So let's pretend at this point, that I did NOT disable port-security and then plugged in a device, let's see what happens

I have plugged into port 2/3:

Switch2(config-if)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*          Yes
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*          Yes
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*         Yes
1    50:01:10:a0:00:18:31:82(pwwn) 20:43:00:0d:ec:2b:3c:40(fc2/3)*          Yes




The entry has been learnt! So what the heck was the point of that? Right now I am not enforcing anything?

THEREFORE, YOU MUST TURN OFF AUTO LEARNING AFTER YOU HAVE FINISHED... AUTO LEARNING :)

I really seem to like the red these days, I must be taking my motto "CCIE Musing and Rants, (now in Colour!)" quite seriously


OK let's disable auto-learning:

Switch2(config)# no port-security auto-learn vsan 1
Switch2(config)# end

Switch2# show port-security status
Fabric Distribution Disabled
VSAN 1 :Activated database, learning is disabled, No Session


OK now what is in our database:

Switch2# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*          Yes
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*          Yes
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*         Yes



Let's plug that port back in now.

VSAN 1 :Activated database, learning is disabled, No Session
Switch2# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*         
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*         
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*        
[Total 3 entries]
 

The entry is not in the database...


Switch2# show port-security violations
-------------------------------------------------------------------------------
VSAN Interface        Logging-in Entity             Last-Time    [Repeat count]
-------------------------------------------------------------------------------
1    fc2/3            50:01:10:a0:00:18:31:82(pwwn) Jun 20 17:59:08 2013 [2]
                      50:01:10:a0:00:18:31:83(nwwn)
[Total 1 entries]
Switch2# 


 You get an awesome violation message, so you can use this to verify what is happening, you would also receive it on your console if you term mon:

Switch2# 2013 Jun 20 18:01:12 Switch2 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 10.0.0.83@pts/1

Switch2# 2013 Jun 20 18:01:14 Switch2 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 1%$
2013 Jun 20 18:01:14 Switch2 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 1%$
2013 Jun 20 18:01:14 Switch2 %PORT-5-IF_DOWN_DENIED_DUE_TO_PORT_BINDING: %$VSAN 1%$ Interface fc2/3 is down(Suspended due to port binding)

Switch2# 2013 Jun 20 18:01:15 Switch2 %PORT-SECURITY-3-BINDING_VIOLATION: %$VSAN 1%$
2013 Jun 20 18:01:15 Switch2 %PORT-5-IF_DOWN_DENIED_DUE_TO_PORT_BINDING: %$VSAN 1%$ Interface fc2/3 is down(Suspended due to port binding)


OK so let's say you have had port-security on in your enviroment for a while now and you want to add a new host, now if you where going to be adding lots, my recommendation would be to turn on auto-learn again, let it auto-learn and copy the database again :), but you could also just provision manually (and infact, auto-learn itself is completely optional, you don't need to configure it unless you want to, you could manually specify each one no worries)

So for our example we are going to manually specify this time.

the show port-security violation has all the info we need :)

port-security database vsan 1
  pwwn 50:01:10:a0:00:18:31:82 interface fc2/3

After this is done you MUST activate the database like you would any other zoning config etc:

port-security activate vsan 1


Now it's a member like we expect:

Switch2(config)# show port-security database active
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*         
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*         
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*        
1    50:01:10:a0:00:18:31:82(pwwn) 20:43:00:0d:ec:2b:3c:40(fc2/3)*         



OK now let's super quickly go over the order of operations and a very brief example for port-security where we are using CFS for distribution

So let's look at the steps again, and insert the appropriate changes for now accounting for the fact we are using CFS distribution



1. Enable the feature
2. Enable distribution of port-security info
3. Check to make sure port-security distirbution and peers are known over CFS
4.  Enable the port-security on the VSAN itself, auto learn will be on by default
5. Commit your change
6.  Let the port-security learn all the active WWN's
7. Disable auto-learn
8. Commit your change
9. Copy the port-security active database to the config database
10. Commit your change
11. Activate the port-security database.

Here are the steps:

ON BOTH, SWITCHES 1 and 2 (
Switch1(config)# port-security distribute
Switch1(config)# end
Switch1# show cfs peers name port-security

Scope      : Logical [VSAN 1]
--------------------------------------------------------------------------------
 Domain Switch WWN              IP Address
--------------------------------------------------------------------------------
 1      20:00:00:0d:ec:2d:4f:40 10.0.0.32                               [Local]
                                Switch1                                
 2      20:00:00:0d:ec:2b:3c:40 10.0.0.33                             

Total number of entries = 2

Switch1# 



Next, on just one of the switches, activate port-security (auto-learn is the default mode so will be enabled by default)


Switch1(config)# port-security activate vsan 1

COMMIT YOUR CHANGE:
Switch1(config)# port-security commit vsan 1

Check to make sure the commit has gone through:

Switch1(config)# show port-security session status
Session Parameters for VSAN: 1
-------------------------------
Last Action Time Stamp     : Mon Aug 31 10:32:58 1981
Last Action                : Commit
Last Action Result         : Success
Last Action Failure Reason : none


OK let's check the active database on both switches:

Switch1# show port-security database active vsan 1
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:e4(pwwn) 20:42:00:0d:ec:2d:4f:40(fc2/2)*          Yes
1    20:00:00:0d:ec:2b:3c:40(swwn) 20:0e:00:0d:ec:2d:4f:40(fc1/14)*         Yes




Switch2# show port-security database active vsan 1
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)     Learnt
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*          Yes
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*          Yes
1    50:01:10:a0:00:18:31:82(pwwn) 20:43:00:0d:ec:2b:3c:40(fc2/3)*          Yes
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*         Yes




All looks fine so far, next step is to copy the active into the config


Switch2# port-security database copy vsan 1
Error for VSAN 1: Copy of active to config db not allowed when distribution and auto-learn are on
Switch2#


What step did we forget? you gotta turn off auto-learning and commit that change

Switch2(config)# no port-security auto-learn vsan 1

Switch2(config)# port-security commit vsan 1

Switch2(config)# show port-security status
Fabric Distribution Enabled
VSAN 1 :Activated database, learning is disabled, No Session



Looks good, let's try copying again

Switch2# port-security database copy vsan 1


What do we have to do next? that's right, COMMIT

Now what will happen is, ALL switches will share the SAME full config database, which could be quite annoying if your fabric is very large.

Switch2# show port-security database vsan 1
--------------------------------------------------------------------------------
VSAN Logging-in Entity             Logging-in Point       (Interface)
--------------------------------------------------------------------------------
1    50:01:10:a0:00:18:31:80(pwwn) 20:41:00:0d:ec:2b:3c:40(fc2/1)*         
1    50:01:10:a0:00:18:31:e6(pwwn) 20:42:00:0d:ec:2b:3c:40(fc2/2)*         
1    50:01:10:a0:00:18:31:82(pwwn) 20:43:00:0d:ec:2b:3c:40(fc2/3)*         
1    20:00:00:0d:ec:2d:4f:40(swwn) 20:0e:00:0d:ec:2b:3c:40(fc1/14)*        
1    50:01:10:a0:00:18:31:e4(pwwn) 20:42:00:0d:ec:2d:4f:40*
1    20:00:00:0d:ec:2b:3c:40(swwn) 20:0e:00:0d:ec:2d:4f:40*
[Total 6 entries]



That's port security! Hopefully the last post I have to do on FC security features, i hope you enjoyed and found it useful!

Thanks guys


1 comment:

  1. thuê dịch vụ kế toán thuế tại hưng yên
    thuê dịch vụ kế toán thuế tại vĩnh phúc
    thuê dịch vụ kế toán thuế tại phú thọ
    thuê dịch vụ kế toán thuế tại hải dương
    thuê dịch vụ kế toán thuế tại quảng ninh
    thuê dịch vụ kế toán thuế tại thái bình
    thuê dịch vụ kế toán thuế tại bắc giang
    thuê dịch vụ kế toán thuế tại thái nguyên
    thuê dịch vụ kế toán thuế tại nam định
    thuê dịch vụ kế toán thuế tại thanh hóa
    thuê dịch vụ kế toán thuế tại hà nam
    thuê dịch vụ kế toán thuế tại ninh bình
    thuê dịch vụ kế toán thuế tại hà tĩnh
    thuê dịch vụ kế toán thuế tại nghệ an
    thuê dịch vụ kế toán thuế trọn gói
    thuê dịch vụ kế toán thuế trọn gói tại quận cầu giấy
    thuê dịch vụ kế toán thuế trọn gói tại quận tại từ liêm
    thuê dịch vụ kế toán thuế trọn gói tại quận thanh xuân
    thuê dịch vụ kế toán thuế trọn gói tại quận hà đông
    thuê dịch vụ kế toán thuế trọn gói tại quận long biên
    thuê dịch vụ kế toán thuế trọn gói tại quận đống đa
    thuê dịch vụ kế toán thuế trọn gói tại quận ba đình
    thuê dịch vụ kế toán thuế trọn gói tại quận tây hồ
    thuê dịch vụ kế toán thuế trọn gói tại quận hoàng mai
    thuê dịch vụ kế toán thuế trọn gói tại thanh trì
    thuê dịch vụ kế toán thuế trọn gói tại quận hoàn kiếm
    thuê dịch vụ kế toán thuế trọn gói tại quận hai bà trưng
    trung tam ke toan tai can tho

    ReplyDelete