Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 20 - Page 34

Compression options, IPSec implementation over FCIP tunnels

Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

2 Compression options ipif_addr The locally defined IP address. vlan_id The VLAN tag used for this tag (range 1-4094). L2CoS Layer 2 class of service (range 0-7) dst_IP_addr The destination IP address. All frames destined for this IP address will be tagged with the specified vlan_id and L2 CoS. If a destination IP address is not specified, all frames not already tagged will be tagged. The following example adds an entry that tags all frames from IP address 192.168.10.1 destined for IP address 192.168.20.1 with a VLAN ID of 100, and a L2 CoS value of 3. switch:admin> portcfg vlantag 8/ge0 add 192.168.10.1 100 3 192.168.20.1 Compression options Hardware-based compression is available on both the 7800 switch and the FX8-24 blade. There are two additional more aggressive options for compression. One is a combination of hardware and software compression that provides more compression than hardware compression alone. This option supports up to 8 Gbps of FC traffic. The third option is software only compression option that provides a more aggressive algorithm. This option supports up to 2.5 Gbps of FC traffic. Compression is defined on the FCIP tunnel. IPSec implementation over FCIP tunnels Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure communications over Internet Protocol networks. IPsec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. It helps secure your SAN against network-based attacks from untrusted computers. The following describes the sequence of events that invokes the IPsec protocol. 1. IPSec and Internet Key Exchange (IKE) policies are created and assigned on peer switches or blades on both ends of the FCIP tunnel. 2. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process. 3. IKE negotiates security association (SA) parameters, setting up matching SAs in the peers. Some of the negotiated SA parameters include encryption and authentication algorithms, Diffie-Hellman key exchange, and SA lifetimes. 4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the SA database. 5. SA lifetimes terminate through deletion or by timing out. An SA lifetime equates to approximately 2GB of traffic passed through the SA. Limitations in using IPSec over FCIP tunnels The following limitations apply to using IPsec: • NAT and AH are not supported. • IPsec-specific statistics are not supported. 20 Fabric OS FCIP Administrator's Guide 53-1001766-01

Section	Page
Contents	5
About This Document	9
In this chapter	9
How this document is organized	9
Supported hardware and software	9
What’s new in this document	10
Document conventions	10
Text formatting	10
Command syntax conventions	11
Notes, cautions, and warnings	11
Key terms	11
Notice to the reader	12
Additional information	12
Brocade resources	12
Other industry resources	12
Getting technical help	13
Document feedback	14
FCIP overview	15
In this chapter	15
FCIP platforms and supported features	15
FCIP concepts	17
IP WAN network considerations	17
FCIP on the 7800 Switch and FX8-24 Blade	19
In this chapter	19
7800 switch hardware overview	20
7800 switch license options	20
VE_Ports and FCIP tunnels on the 7800 switch	21
FCIP trunking capacity on the 7800 switch	21
FX8-24 blade hardware overview	22
FX8-24 blade licensing options	24
VE_Ports and FCIP tunnels on the FX8-24 blade	24
FCIP trunking capacity on the FX8-24 blade	24
FCIP trunking	24
Design for redundancy and fault tolerance	25
FCIP tunnel restrictions for FCP and FICON acceleration features	25
FCIP circuits	25
FCIP circuit failover capabilities	26
Bandwidth calculation during failover	27
Adaptive Rate Limiting	28
FSPF link cost calculation when ARL is used	28
QoS SID/DID priorities over an FCIP trunk	29
QOS, DSCP, and VLANs	30
DSCP quality of service	30
VLANs and layer two quality of service	30
When both DSCP and L2CoS are used	30
DSCP and VLAN support on FCIP circuits	31
Managing the VLAN tag table	33
Compression options	34
IPSec implementation over FCIP tunnels	34
Limitations in using IPSec over FCIP tunnels	34
IPSec for the 7800 and FX8-24 blade	35
Enabling IPSec and IKE policies	35
Open Systems Tape Pipelining	37
FCIP Fastwrite and OSTP configurations	37
Support for IPv6 Addressing	38
IPv6 with Embedded IPv4 Addresses	39
Configuration preparation	40
Configuration steps	40
Setting VE_ports to persistently disabled state	41
Configuring VEX_ports	41
Configuring the media type for GbE ports 0 and 1 (7800 switch only)	41
Setting the GbE port operating mode (FX8-24 blade only)	42
Configuring a GbE or XGE port IP address	43
Configuring an IP route	44
Validating IP connectivity	44
Creating an FCIP tunnel	45
Creating additional FCIP circuits	49
Verifying the FCIP tunnel configuration	49
Enabling persistently disabled ports	50
Modifying an FCIP tunnel	51
Modifying an FCIP circuit	51
Deleting an IP interface	51
Deleting an IP route	52
Deleting an FCIP tunnel	52
Deleting an FCIP circuit	52
Virtual fabrics and the FX8-24 blade	52
FCIP on the 7500 Switch and FR4-18i Blade	53
In this chapter	53
The 7500 switch and FR4-18i blade	54
7500 switch and FR4-18i blade ports	55
FCIP Design Considerations for the 7500 switch and FR4-18i blade	55
Virtual ports and FCIP tunnels	56
Virtual Port Types	56
Compression on FCIP tunnels	57
Traffic shaping	57
FCIP services license	58
QoS implementation over FCIP	58
DSCP quality of service	58
L2CoS quality of service	58
When both DSCP and L2CoS are used	59
IPSec implementation over FCIP	59
IPsec configuration	61
IPsec parameters	61
Creating an IKE and IPsec policy	62
Displaying IKE and IPsec policy settings	63
Deleting an IKE and IPsec policy	63
Viewing IPsec information for an FCIP tunnel	64
Virtual Fabrics and FCIP	65
TCP Byte Streaming	65
Supported third party WAN optimizer hardware	65
Options for enhancing tape I/O performance	66
FCIP Fastwrite and OSTP	66
FCIP Fastwrite and OSTP configurations	67
Unsupported configurations for Fastwrite and OSTP	68
FCIP services configuration guidelines	70
Setting persistently disabled ports	71
Configuring VEX_Ports	71
Creating IP interfaces and routes	72
Creating an FCIP tunnel	75
Verifying the FCIP tunnel configuration	77
Enabling persistently disabled ports	79
Managing FCIP tunnels	81
Modifying and deleting QoS Settings	82
Deleting an FCIP tunnel	83
Deleting an IProute	83
Deleting an IP interface (IPIF)	84
Managing the VLAN tag table	84
FCIP Management and Troubleshooting	85
In this chapter	85
WAN performance analysis tools	85
The tperf option	85
The ipperf option	89
Ipperf performance statistics	90
Starting an ipperf session	90
Ipperf options	92
Using ping to test a connection	93
Using Traceroute	94
Portshow command usage	95
Displaying IP interfaces	95
Displaying IP routes	95
Displaying FCIP tunnel information	95
Displaying FCIP tunnel information (7800 switch and FX8-24 blade)	96
Displaying an FCIP tunnel with FCIP circuit information (7800 switch and FX8-24 blade)	96
Displaying FCIP tunnel performance (7800 switch and FX8-24 blade)	98
Displaying FCIP tunnel TCP connections (7800 switch and FX8-24 blade)	98
Displaying FCIP circuits (7800 switch and FX8-24 blade)	100
Displaying a single circuit	101
Displaying FCIP circuit performance (7800 switch and FX8-24 blade)	101
Displaying QoS prioritization for a circuit	102
Displaying FCIP tunnel information (7500 switch/FR4-18i blade)	103
FCIP tunnel issues	106
FCIP links	108
Gathering additional information	109
FTRACE concepts	110
Displaying the trace for a tunnel	111
Deleting an FTRACE configuration for a tunnel	112
Example of capturing an FTRACE on a tunnel	113

Match case Limit results 1 per page

Fabric OS FCIP Administrator’s Guide

53-1001766-01

Compression options

ipif_addr

The locally defined IP address.

vlan_id

The VLAN tag used for this tag (range 1-4094).

L2CoS

Layer 2 class of service (range 0-7)

dst_IP_addr

The destination IP address. All frames destined for this IP address will be

tagged with the specified vlan_id and L2 CoS. If a destination IP address is

not specified, all frames not already tagged will be tagged.

The following example adds an entry that tags all frames from IP address 192.168.10.1

destined for IP address 192.168.20.1 with a VLAN ID of 100, and a L2 CoS value of 3.

switch:admin>

portcfg vlantag

8/ge0

add

192.168.10.1 100 3 192.168.20.1

Compression options

Hardware-based compression is available on both the 7800 switch and the FX8-24 blade. There

are two additional more aggressive options for compression. One is a combination of hardware and

software compression that provides more compression than hardware compression alone. This

option supports up to 8 Gbps of FC traffic. The third option is software only compression option

that provides a more aggressive algorithm. This option supports up to 2.5 Gbps of FC traffic.

Compression is defined on the FCIP tunnel.

IPSec implementation over FCIP tunnels

Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure

communications over Internet Protocol networks. IPsec supports network-level data integrity, data

confidentiality, data origin authentication, and replay protection. It helps secure your SAN against

network-based attacks from untrusted computers.

The following describes the sequence of events that invokes the IPsec protocol.

IPSec and Internet Key Exchange (IKE) policies are created and assigned on peer switches or

blades on both ends of the FCIP tunnel.

Traffic from an IPsec peer with the lower local IP addres

initiates the IKE negotiation process.

IKE negotiates security association (SA) parameters, setting up matching SAs in the peers.

Some of the negotiated SA parameters include encryption and authentication algorithms,

Diffie-Hellman key exchange, and SA lifetimes.

Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the

SA database.

SA lifetimes terminate through deletion or by timing out. An SA lifetime equates to

approximately 2GB of traffic passed through the SA.

Limitations in using IPSec over FCIP tunnels

The following limitations apply to using IPsec:

•

NAT and AH are not supported.

•

IPsec-specific statistics are not supported.