Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

spoofing wwn - pwwn vs nwwn


I have been reading up about the pro's & con's of using port wwn over node wwn. From what I have read so far, I understand that port wwn zoning is more secure but more hassle when/if you change ports. Node wwn seems to be easier to manage but is less secure

I would prefer to use node wwn, due to the flexibity & slightly more detailed information you get out of fabric manager on alias name / hba firmware level etc

My question is though, if someone was able to guess/find out the wwn of another hba and spoof it, would the disk just be presented out to the spoofed hba without any question or would any kind of alert/disruption be identified by the switch that two hba's have the same wwn ?

For info, we are using the mds9000 range cisci switches vrs 2.1(2b)



Cisco Employee

Re: spoofing wwn - pwwn vs nwwn

The pwwn is the wwn that is external on a HBA and the nwwn is usally the same HBA but represents the 'internal' portion. For example, a HBA with two ports could have a nwwn of 50:00:00:00:c9:ab:cd:00 and then the pwwn would be 50:00:00:00:c9:ab:cd:01 and 50:00:00:00:c9:ab:cd:02 (this is example). So, the nwwn would be logged in twice but each pwwn would be logged into the MDS port it was attached to. So, in this manner, the nwwn represents the actual server and the pwwn is the port that is used to gain access to the fabric.

Thus, I would think that spoofing either of these concepts which are burned in on a NIC would be equally difficult. There is two solutions and in particular, the FC-SP solution is best suited for anti-spoofing. It requires a password negotiation between the FC attached device and the MDS switch. So, this requires a password on both sides to be known. This also requires a HBA that supports it and added config in the initiator and the MDS switch. However, simple port security 'locks' in a pwwn to a particular interface port. They both will solve a spoofing issue.

New Member

Re: spoofing wwn - pwwn vs nwwn

Thanks for the reply tblancha :-)

CreatePlease login to create content