If you planned on turning on the globalEnforcePriv setting in your SAN fabric to improve security ... don't!

There is a setting which is available within Cisco Fiber Channel switches that I ran across while configuring some new Cisco MDS switches that looked great for security.  The setting is called "globalEnforcePriv" and the basic idea as I understand it is that it globally enforces privacy on all the accounts on the switch.  So far this sounds like a good thing.  The problem that I ran across was that I could no longer use the management tools to log into the switch and manage it.  I had to log back into the switch from the command line and remove the setting from the configuration.

We ran across this setting while troubleshooting a connection problem between the new Cisco UCS controllers and the Cisco MDS switches.  It looked like something that might help with the switch to switch authentication problem that we were having, but instead it just made live miserable for a good while until we realized that it was the reason that we couldn't log back into the switch.

So if you see that setting in your running config and you need to remove it run "config t" to get into the configuration screen, then run "no snmp-server globalEnforcePriv" to get rid of the setting.  Don't forget to save the running config as the active config so that the next time you reboot the switch the setting stays gone.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.