Cisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4 module, a MDS 9222i switch, or a SSN-16 module anywhere in the fabric. There are no appliances in-line in the data path and there is no SAN rewiring or reconfiguration.

SME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced Cisco MDS 9000 SAN-OS and NX-OS software security features, such as Secure Shell (SSH), Secure Sockets Layer (SSL), RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation for the secure architecture.

SME uses the NIST-approved random number standard to generate the keys for encryption.

Encryption and compression services are transparent to the hosts and storage devices.

SME services include the following four configuration and security roles:

• SME Administrator
• SME Storage Administrator
• SME Key Management Center (KMC) Administrator
• SME Recovery Officer

The SME Administrator configures and maintains SME. This role can be filled by multiple storage network administrators. The SME Storage Administrators are responsible for SME provisioning operations and the SME KMC Administrators are responsible for the SME KMC administration operations. The security officer may be assigned the SME KMC Administrator role in some scenarios.

Note	SME Administrator role includes the SME Storage Administrator and the SME KMC Administrator roles.

The SME Recovery Officers are responsible for key recovery operations. During SME configuration, additional Recovery Officers can be added. SME Recovery Officers play a critical role in recovering the key database of a deactivated cluster and they are responsible for protecting the master key. The role of the SME Recovery Officer separates master key management from SME administrations and operations. In some organizations, a security officer may be assigned to this role.

At the advanced security level, a quorum of SME Recovery Officers is required to perform recovery procedures. The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to unlock the master key.

For additional information on SME Administrator and SME Recovery Officer roles, see the Creating and Assigning SME Roles and SME Users.

Cisco Key Management Center (KMC) provides essential features such as key archival, secure export and import, and key shredding.

Key management features include the following:

• Master key resides in password protected file or in smart cards.

  • If the cluster security mode is set to Basic, the master key resides in the password protected file.

  • If the cluster security mode is set to Standard, the master key resides in only one smart card. And the same smart card is required to recover the master key.

  • If the cluster security mode is set to Advanced, the master key resides in multiple smart cards. Quorum (2 out of 3 or 2 out of 5 or 3 out of 5) of smart cards are required to recover the master key based on the user selection.

• Unique key per tape for an SME tape cluster.

• Unique key per LUN for an SME disk cluster.

• Keys reside in clear-text only inside a FIPS boundary.

• Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC.

• Disk keys are wrapped by the cluster master key and deactivated in the CKMC.

• Option to store tape keys on tape media.

The centralized key lifecycle management includes the following:

• Archive, shred, recover, and distribute media keys.

  • Integrated into DCNM-SAN.

  • Secure transport of keys.

• End-to-end key management using HTTPS/SSL/SSH.

  • Access controls and accounting.

  • Use of existing AAA mechanisms.

The Cisco KMC provides dedicated key management for SME, with support for single and multisite deployments. The Cisco KMC performs key management operations.

The Cisco KMC is either integrated or separated from DCNM-SAN depending on the deployment requirements.

Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisite deployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that are used for fabric management. This separation provides robustness to the KMC and also supports the SME deployments in different locations sharing the same Cisco KMC.

Figure 1shows how Cisco KMC is separated from DCNM-SAN for a multisite deployment.

A Cisco KMC is configured only in the primary data center and DCNM-SAN servers are installed in all the data centers to manage the local fabrics and provision SME. The SME provisioning is performed in each of the data centers and the tape devices and backup groups in each of the data centers are managed independently.

Figure 2. Multisite Setup in Cisco KMC

Need to change all the instances of Fabric Manager to DCNM-SAN. Need to request this by the illustrator. -- before Delhi.

In the case of multisite deployments when the Cisco KMC is separated from DCNM-SAN, fabric discovery is not required on the Cisco KMC installation. The clusters that have connection to the Cisco KMC will be online and the clusters that are not connected, but are not deactivated, appear as offline. The SME clusters that are deleted from the fabric appear as deactivated.

The high availability Cisco KMC server consists of a primary server and a secondary server. When the primary server is unavailable, the cluster connects to the secondary server and fails over to the primary server once the primary server is available. The high availability KMC will be available after you configure the high availability settings in DCNM-SAN Web Client.

Cluster technology provides reliability and availability, automated load balancing, failover capabilities, and a single point of management.

SME performance can easily be scaled up by adding more Cisco MDS 9000 Family switches or modules. The innovative Fibre Channel redirect capabilities in Cisco MDS 9000 NX-OS enable traffic from any switch port to be encrypted without SAN reconfiguration or rewiring.

SME provides discovery of backend targets using the identity of the host during a session establishment.

The SME cluster consists of a set of switches (in a dual-fabric environment) running the SME application. Clustering offers target-based load balancing of SME application services. The cluster infrastructure allows the SME application to communicate and coordinate to maintain consistency and high availability.

Load balancing is achieved by distributing ownership of the various metadata objects throughout the cluster. SME assigns hosts to the available SME interfaces using the following algorithm:

• All hosts for a given target port are always assigned to the same SME interface.
• If a target port is connected to one of the SME switches, an interface is selected based on the load from the target-connected switch. That is, the target locality is considered when choosing a SME interface for a target.
• If a target is connected to a switch that has no SME interface, then the target is assigned to the least loaded available interface in the SME cluster.

In target-based load balancing, the load on an interface refers to the number of targets assigned to that interface.

Caution

SME provides a load balancing CLI that allows you to rebalance the targets assigned to the available SME interfaces in the cluster. However, the load balancing command is disruptive to the traffic. Ensure that you execute this command at a scheduled downtime, otherwise, the existing traffic will be affected.

Figure 1 shows a single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module. The Cisco MSM-18/4 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR tape. SME also tracks the barcodes on each encrypted tape and associates the barcodes with the host servers.

Figure 1 shows encrypted data from the HR server is compressed and stored in the HR tape library. Data from the email server is not encrypted when backed up to the dedicated email tape library.

Figure 3. SME: Single-Fabric Topology

Note	Tape devices should be connected to core switches such as an MDS 9500 Series switch or MDS 9222i switch running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x or later and also can/should be connected to MDS 9710 Series switch running with Cisco NX-OS 6.2(3) or later.

Encryption and compression services are transparent to the hosts and storage devices. These services are available for devices in any virtual SANs (VSANs) in a physical fabric and can be used without rezoning.

A single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module, Cisco MDS 922i switch or SSN-16 module. The Cisco MSM-18/4 module, Cisco MDS 9222i switch or SSN-16 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards the encrypted data to the dedicated HR disk.

Note	SME disk also supports dual-fabric topology with which the data can be encrypted on all the paths. Disk devices should be connected to core switches, such as an MDS 9500 Series switch or an MDS 9222i switch, running on Cisco NX-OS Release 5.2(1) or later.

Encryptions are transparent to the hosts and storage devices. These services are available for devices in any virtual SANs (VSANs) in a physical fabric and can be used without rezoning.

The Cisco MDS 9000 Family 18/4-Port Multiservice module (MSM-18/4) provides 18 autosensing 1-, 2-, and 4-Gbps Fibre Channel ports and four Gigabit Ethernet IP services ports. The MSM-18/4 module provides multiprotocol capabilities such as Fibre Channel, Fibre Channel over IP (FCIP), Small Computer System Interface over IP (iSCSI), IBM Fiber Connectivity (FICON), and FICON Control Unit Port (CUP) management.

The MSM-18/4 module provides 18 4-Gbps Fibre Channel interfaces for high-performance SAN and mainframe connectivity and four Gigabit Ethernet ports for FCIP and iSCSI storage services. Individual ports can be configured with hot-swappable shortwave, longwave, extended-reach, coarse wavelength-division multiplexing (CWDM) or dense wavelength-division multiplexing (DWDM) Small Form-Factor Pluggables (SFPs) for connectivity up to 125 miles (200 km).

The MSM-18/4 module can minimize latency for disk and tape through FCIP write acceleration and FCIP tape write and read acceleration. The MSM-18/4 module provides up to 16 virtual Inter-Switch Link (ISL) connections on the four 1-Gigabit Ethernet ports through tunneling, and provides up to 4095 buffer-to-buffer credits that can be assigned to a single Fibre Channel Port.

The MSM-18/4 provides intelligent diagnostics, protocol decoding, and network analysis tools with the integrated Call Home capability.

Note	Cisco MDS 9000 Series switches running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x or later support the MSM-18/4 module for SME tape.Cisco MDS 9000 Series switches running Cisco NX-OS Release 5.2(1) support the MSM-18/4 and SSN-16 modules for SME disk.

For additional information, refer to the Cisco MDS 9500 Series Hardware Installation Guide.

The Cisco MDS 9222i Multiservice Modular switch includes an integrated supervisor module (in slot 1) that provides the control and management functions of the Cisco MDS 9222i switch and it provides an 18-Port Fibre Channel switching and 4-Port Gigabit Ethernet IP services module. The Cisco MDS 9222i built-in supervisor module provides multiple communication and control paths to avoid a single point of failure. The Cisco MDS 9222i supervisor module has a PowerPC PowerQUICC III class processor, 1 GB of DRAM, and an internal CompactFlash card that provides 1 GB of storage for software images.

The Cisco MDS 9222i switch includes a modular expansion slot to host Cisco MDS 9000 Family switching and services modules. For additional information, refer to the Cisco MDS 9200 Series Hardware Installation Guide.

Note	The Cisco MDS 9222i switch requires Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x or later for SME tape.The Cisco MDS 9222i switch requires Cisco NX-OS Release 5.2(1) for SME disk.

The Cisco MDS 9000 Family 16-Port Storage Services Node (SSN-16) hosts four independent service engines which can be individually and incrementally enabled to scale as business requirements grow. The SSN-16 configuration is based on the single service engine of the Cisco MDS 9000 Family 18/4-Port Multiservice module and the four-to-one consolidation provides hardware savings and frees up slots in the MDS 9500 series chassis.

The SSN-16 seamlessly integrates into the Cisco MDS 9500 Series Multilayer directors and the Cisco MDS 9222i Multiservice Modular switch. Each of the four service engines supports four Gigabit Ethernet IP storage services ports for a total of 16 ports of Fibre Channel over IP (FCIP) connectivity. The traffic can be switched between an IP port and any Fibre Channel port on Cisco MDS 9000 Family switches.

The SSN-16 supports the full range of services available on other Cisco MDS 9000 Family modules including VSAN, security, and traffic management. Features such as I/O Accelerator (IOA), SME Disk and Tape, and FCIP can be configured in different octeons in a single SSN-16 module.

By running four separate, concurrent applications on one module, SSN-16 provides the following functions:

• Provides better disaster recovery and continuity solutions for mission critical applications.
• Minimizes the number of devices required, which improves the reliability.
• Consolidates the management with a single module, which provides end-to-end visibility.
• Facilitates solution-level performance optimization.

The SSN-16 module provides transparent services to any port in a fabric and does not require additional SAN reconfiguration and rewiring. The module does not require the host or target to be directly attached and is available with multimodule clustering and balancing.

The SSN-16 module supports up to four SME interfaces per module and provides higher scalability and improved performance of up to 20 percent on the MSM-18/4 module and 9222i switches.

Note	Cisco MDS 9500 Series switches running Cisco NX-OS Release 4.2(1) or later support the SSN-16.

For additional information, refer to the Cisco MDS 9500 Series Hardware Installation Guide.

Note	In Cisco MDS NX-OS Release 5.2(x), you cannot install a FCoE module in a switch that is running DMM, SME, or IOA.

In Cisco MDS NX-OS Release 5.2(x), you cannot install a FCoE module in a switch that is running DMM, SME, or IOA.

SME requires that each target switch be FC-Redirect capable. FC-Redirect is not supported on the following switches:

• Cisco MDS 9120 switch
• Cisco MDS 9140 switch
• Cisco MDS 9124 switch
• Cisco MDS 9134 switch
• Cisco MDS 9020 switch

Note	In Cisco MDS NX-OS Release 6.2(1), FC-Redirect is not supported on the Cisco MDS 9710 switch. Fibre Channel Redirect (FCR) support is introduced on to Cisco MDS 9710 series switch running with Cisco NX-OS 6.2(3) or later.

Note	SME does not support any FCoE connected devices including devices connected through the MDS FCoE linecard (DS-X9708-K9).

Note	Disk devices, tape devices, and tape libraries are not supported in these edge switches. Disks and tapes cannot be connected to these switches.

To employ standard and advanced security levels, SME requires the following:

• Smart Card Reader for SME (DS-SCR-K9)
• Smart Card for SME (DS-SC-K9)

The smart card reader is a USB device that is connected to a management workstation. The management workstation is used to configure the SME cluster. The smart card reader requires the smart card drivers that are included on the installation CD. These must be installed on the management workstation where the reader is attached.

Note	The smart card reader is supported on Windows-only platforms. This support includes only the Windows 4 64-bit and Windows XP 32-bit platforms.For the newly installed smart card drivers to work efficiently with the smart card readers, you must stop all Microsoft smart card services.