Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2302
Views
0
Helpful
2
Replies

spoofing wwn - pwwn vs nwwn

gstonian1
Level 1
Level 1

‎05-12-2006 01:55 AM

Hi,

I have been reading up about the pro's & con's of using port wwn over node wwn. From what I have read so far, I understand that port wwn zoning is more secure but more hassle when/if you change ports. Node wwn seems to be easier to manage but is less secure

I would prefer to use node wwn, due to the flexibity & slightly more detailed information you get out of fabric manager on alias name / hba firmware level etc

My question is though, if someone was able to guess/find out the wwn of another hba and spoof it, would the disk just be presented out to the spoofed hba without any question or would any kind of alert/disruption be identified by the switch that two hba's have the same wwn ?

For info, we are using the mds9000 range cisci switches vrs 2.1(2b)

Cheers

Gordon

Labels:
0 Helpful
2 Replies 2

tblancha
Cisco Employee
Cisco Employee

‎05-15-2006 07:44 AM

The pwwn is the wwn that is external on a HBA and the nwwn is usally the same HBA but represents the 'internal' portion. For example, a HBA with two ports could have a nwwn of 50:00:00:00:c9:ab:cd:00 and then the pwwn would be 50:00:00:00:c9:ab:cd:01 and 50:00:00:00:c9:ab:cd:02 (this is example). So, the nwwn would be logged in twice but each pwwn would be logged into the MDS port it was attached to. So, in this manner, the nwwn represents the actual server and the pwwn is the port that is used to gain access to the fabric.

Thus, I would think that spoofing either of these concepts which are burned in on a NIC would be equally difficult. There is two solutions and in particular, the FC-SP solution is best suited for anti-spoofing. It requires a password negotiation between the FC attached device and the MDS switch. So, this requires a password on both sides to be known. This also requires a HBA that supports it and added config in the initiator and the MDS switch. However, simple port security 'locks' in a pwwn to a particular interface port. They both will solve a spoofing issue.

0 Helpful

gstonian1
Level 1
Level 1
In response to tblancha

‎05-16-2006 07:20 AM

Thanks for the reply tblancha :-)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents