Chapter 19: Storage Security

Port security requires activation on a per-VSAN basis. Port security uses pWWNs/nWWNs or fWWNs/sWWNs Port security binds devices at the interface level. Port security can be distributed by CFS.

4. Which of the following statements are TRUE regarding the port security feature? (Choose two answers.) Port security binds the fabric at the switch level. Port security requires activation on a per-VSAN basis. Port security cannot be distributed by CFS. Port security uses pWWNs/nWWNs or fWWNs/sWWNs

Microsoft Active Directory (AD)

Microsoft implementation of LDAP directory services for use in Windows-based environments. Active Directory provides administrators with the means for assigning networkwide policies, deploying programs to many computer systems concurrently, and applying critical updates to an entire organization. Active Directory stores information and settings related to an organization in a centralized and accessible database.

Terminal Access Controller Access Control System Plus (TACACS+)

One of the protocols that can be used to communicate between an AAA server and its client.

TACACS+ encrypts passwords only. TACACS+ is an open protocol supported by multiple vendors. TACACS+ is a Cisco proprietary protocol. TACACS+ encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. RADIUS encrypts passwords only.

1. Which of the following statements are INCORRECT regarding TACACS+? (Choose two answers.) TACACS+ uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol. TACACS+ provides independent, modular AAA facilities. Authorization can be done without authentication. TACACS+ encrypts passwords only. TACACS+ is an open protocol supported by multiple vendors.

389

2. The LDAP client/server protocol uses which TCP port number for transport requirements? 2003 1812 389 49

User roles contain rules that define the operations allowed for the user who is assigned the role. Up to 16 rules can be configured for each role. Each user role can contain multiple rules, and each user can have multiple roles. Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, the VSAN administrators can change VSAN membership of F or FL ports among these VSANs.

3. Which of the following statements are CORRECT regarding user roles on Cisco MDS 9000 Series Switches? (Choose two answers.) User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules, but each user cannot have multiple roles. Up to 16 rules can be configured for each role. User roles cannot be used to create VSAN administrators.

Manual Database Configuration Auto-Learning without CFS Distribution Auto-Learning with CFS Distribution Fabric binding binds the fabric at the switch level, whereas port security binds devices at the interface level.

5. Port security can be configured using which of the following methods? (Choose three answers.) Manual Database Configuration Auto-Learning without CFS Distribution Fabric Binding Auto-Learning with CFS Distribution

The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. Fabric binding is configured on a per-VSAN basis. Fabric binding cannot be distributed by CFS and must be configured manually on each switch in the fabric. Fabric binding uses a set of sWWNs.

6. Which statements are TRUE regarding the fabric binding feature? (Choose two answers.) The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. Fabric binding is configured on a per-VSAN basis. Fabric binding can be distributed by CFS and hence configured automatically on each switch in the fabric. Fabric binding uses pWWNs/nWWNs.

Configuration database Active database The fabric binding feature maintains a configuration database (config-database) and an active database. The config-database is a read-write database that collects the configurations you perform. These configurations are enforced only upon activation. This activation overwrites the active database with the contents of the config-database. The active database is read-only and is the database that checks each switch that attempts to log in.

7. Which databases are managed by the fabric binding feature? (Choose two answers.) Configuration database Inactive database Active database Startup database

Lightweight Directory Access Protocol (LDAP)

A client/server-based directory query protocol loosely based upon X.500, commonly used for managing user information

Cisco Fabric Services (CFS)

A common infrastructure for automatic configuration synchronization in the network. It provides the transport function and a set of common services to the features. CFS has the ability to discover CFS-capable switches in the network and discover feature capabilities in all CFS-capable switches.

bind DN

A distinguished name that is composed of the user and the location of the user in the LDAP directory tree.

fcping

A feature that verifies reachability of a node by checking its end-to-end connectivity. You can invoke the fcping feature by providing the FC ID, the destination port WWN, or the device alias information.

OpenLDAP

A free, open-source implementation of the Lightweight Directory Access Protocol (LDAP).

Dynamic Port VSAN Membership (DPVM)

A method that dynamically assigns VSAN membership to ports by assigning VSANs based on the device WWN.

switch World Wide Name (sWWN)

A name assigned to a switch in a Fibre Channel fabric.

Remote Authentication Dial-In User Service (RADIUS)

A networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect to and use a network service.

Transport Layer Security (TLS)

A protocol based on SSL 3.0 that provides authentication and encryption, used by most servers for secure exchanges over the Internet.

Fibre Channel Security Protocol (FC-SP)

A protocol that provides switch-switch and host-switch authentication capabilities to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication between Cisco MDS 9000 Family switches and other devices.

A. FC-SP authentication B. Telnet or SSH login C. iSCSI authentication

AAA configuration in Cisco MDS 9000 Series switches is service based. For which of the following services can you have separate AAA configurations? A. FC-SP authentication B. Telnet or SSH login C. iSCSI authentication D. FCIP authentication

Internet Small Computer Interface (iSCSI)

An Internet Protocol-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and manage storage over long distances. iSCSI can be used to transmit data over local-area networks (LANs), wide-area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a storage-area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally attached disks. iSCSI can be run over long distances using existing network infrastructure. iSCSI was pioneered by IBM and Cisco in 1998 and submitted as a draft standard in March 2000.

memberOf attribute

An attribute that specifies the DN of the groups to which the object belongs.

fabric port WWN (fWWN)

Each port on a fabric has an fWWN that is sometimes also called a Fabric Port WWN (FPWNNN).

Secure Shell (SSH)

Port 22 A Linux/UNIX-based command interface and protocol for securely accessing a remote computer.

port World Wide Name (pWWN)

See World Wide Port Name (WWPN). A name assigned to a port in a Fibre Channel fabric. Used on storage-area networks, it performs a function equivalent to the MAC address in the Ethernet protocol because it is supposed to be a unique identifier in the network.

Cisco attribute-value pair (cisco-av-pair)

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Attribute 26 encapsulates vendor-specific attributes (VSA), thereby allowing vendors to support their own extended attributes otherwise not suitable for general use.

base DN

The point from where a server will search for users.

AAA Server

The server/host responsible for running RADIUS or TACACS services.

Fabric Shortest Path First (FSPF)

The standard path selection protocol used by Fibre Channel fabrics. FSPF automatically calculates the best path between any two switches in a fabric.

Distinguished Name (DN)

This uniquely identifies a certificate entity.

d

What is the default maximum size of the accounting log in Cisco MDS 9000 Series switches? A. 100,000 bytes B. 400,000 bytes C. 50,000 bytes D. 250,000 bytes

b

Which of the following is NOT a valid authorization role in all Cisco MDS switches? A. Default-role B. server-superadmin C. Network operator (network-operator) D. Network administrator (network-admin)

A. AAA servers can be directly connected to the SAN fabric more easily.

Which of the following is NOT an advantage of remote AAA services over local AAA services for Cisco MDS 9000 Family switches? A. AAA servers can be directly connected to the SAN fabric more easily. B. User role mapping for each switch in the fabric can be managed more easily. C. User password lists for each switch in the fabric can be managed more easily. D. The accounting log for all switches in the fabric can be centrally managed.

Secure Sockets Layer (SSL)

a standard security technology for establishing an encrypted link between a web server and a browser, ensuring that all data passed between them remain private

c

ow many RADIUS servers can be configured in Cisco MDS 9000 with the NX-OS CLI? A. 32 B. 16 C. 64 D. 8

Exchange Fabric Membership Data (EFMD)

protocol used to ensure that the list of authorized switches is identical in all the switches in the fabric.

node World Wide Name (nWWN)

see World Wide Node Name (WWNN) A name assigned to a node (an endpoint, a device) in a Fibre Channel fabric. It is valid for the same WWNN to be seen on many different ports (different addresses) on the network, identifying the ports as multiple network interfaces of a single network node.