Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 20 - Page 59

When both DSCP and L2CoS are used, IPSec implementation over FCIP

Add to My Manuals
Save this manual to your list of manuals

Page 59 highlights

IPSec implementation over FCIP 3 When both DSCP and L2CoS are used If an FCIP tunnel is not VLAN tagged, only DSCP is relevant. If the FCIP tunnel is VLAN tagged, both DSCP and L2CoS are relevant, unless the VLAN is end-to-end, with no intermediate hops in the IP network. The following table shows the default mapping of DSCP priorities to L2Cos priorities per tunnel ID. This may be helpful when consulting with the network administrator. These values may be modified per FCIP tunnel. TABLE 8 Default Mapping of DSCP priorities to L2Cos Priorities Virtual CIrcuit (VC) DSCP priority/bits L2CoS priority/bits Assigned to: 0 46 / 101110 7 / 111 1 7 / 000111 1 / 001 2 11 / 001011 3 / 011 3 15 / 001111 3 / 011 4 19 / 010011 3 / 011 5 23 / 010111 3 / 011 6 27 / 011011 0 / 000 7 31 / 011111 0 / 000 8 35 / 100011 0 / 000 9 39 / 100111 0 / 000 10 43 / 101011 4 / 100 11 47 / 101111 4 / 100 12 51 / 110011 4 / 100 13 55 / 110111 4 / 100 14 59 / 111011 4 / 100 15 63 / 111111 0 / 000 Class F Medium QoS Medium QoS Medium QoS Medium QoS Medium QoS Class 3 Multicast Broadcast/Multicast Low Qos Low Qos High QoS High QoS High QoS High QoS High QoS Reserved IPSec implementation over FCIP Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure communications over Internet Protocol networks. IPsec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. It helps secure your SAN against network-based attacks from untrusted computers, attacks that can result in the denial-of-service of applications, services, or the network, data corruption, and data and user credential theft. By default, when creating an FCIP tunnel, IPsec is disabled. Used to provide greater security in tunneling on an FR4-18i blade or a Brocade 7500 Extension Switch, the IPsec feature does not require you to configure separate security for each application that uses TCP/IP. When configuring for IPsec, however, you must ensure that there is an FR4-18i blade or a Brocade 7500 Extension Switch at each end of the FCIP tunnel. IPsec works on FCIP tunnels with or without IP compression (IPComp), FCIP Fastwrite, and OSTP. IPsec can only be created on tunnels using IPv4 addressing. IPsec requires the High-Performance Extension over FCIP/FC license. Fabric OS FCIP Administrator's Guide 45 53-1001766-01

Section	Page
Contents	5
About This Document	9
In this chapter	9
How this document is organized	9
Supported hardware and software	9
What’s new in this document	10
Document conventions	10
Text formatting	10
Command syntax conventions	11
Notes, cautions, and warnings	11
Key terms	11
Notice to the reader	12
Additional information	12
Brocade resources	12
Other industry resources	12
Getting technical help	13
Document feedback	14
FCIP overview	15
In this chapter	15
FCIP platforms and supported features	15
FCIP concepts	17
IP WAN network considerations	17
FCIP on the 7800 Switch and FX8-24 Blade	19
In this chapter	19
7800 switch hardware overview	20
7800 switch license options	20
VE_Ports and FCIP tunnels on the 7800 switch	21
FCIP trunking capacity on the 7800 switch	21
FX8-24 blade hardware overview	22
FX8-24 blade licensing options	24
VE_Ports and FCIP tunnels on the FX8-24 blade	24
FCIP trunking capacity on the FX8-24 blade	24
FCIP trunking	24
Design for redundancy and fault tolerance	25
FCIP tunnel restrictions for FCP and FICON acceleration features	25
FCIP circuits	25
FCIP circuit failover capabilities	26
Bandwidth calculation during failover	27
Adaptive Rate Limiting	28
FSPF link cost calculation when ARL is used	28
QoS SID/DID priorities over an FCIP trunk	29
QOS, DSCP, and VLANs	30
DSCP quality of service	30
VLANs and layer two quality of service	30
When both DSCP and L2CoS are used	30
DSCP and VLAN support on FCIP circuits	31
Managing the VLAN tag table	33
Compression options	34
IPSec implementation over FCIP tunnels	34
Limitations in using IPSec over FCIP tunnels	34
IPSec for the 7800 and FX8-24 blade	35
Enabling IPSec and IKE policies	35
Open Systems Tape Pipelining	37
FCIP Fastwrite and OSTP configurations	37
Support for IPv6 Addressing	38
IPv6 with Embedded IPv4 Addresses	39
Configuration preparation	40
Configuration steps	40
Setting VE_ports to persistently disabled state	41
Configuring VEX_ports	41
Configuring the media type for GbE ports 0 and 1 (7800 switch only)	41
Setting the GbE port operating mode (FX8-24 blade only)	42
Configuring a GbE or XGE port IP address	43
Configuring an IP route	44
Validating IP connectivity	44
Creating an FCIP tunnel	45
Creating additional FCIP circuits	49
Verifying the FCIP tunnel configuration	49
Enabling persistently disabled ports	50
Modifying an FCIP tunnel	51
Modifying an FCIP circuit	51
Deleting an IP interface	51
Deleting an IP route	52
Deleting an FCIP tunnel	52
Deleting an FCIP circuit	52
Virtual fabrics and the FX8-24 blade	52
FCIP on the 7500 Switch and FR4-18i Blade	53
In this chapter	53
The 7500 switch and FR4-18i blade	54
7500 switch and FR4-18i blade ports	55
FCIP Design Considerations for the 7500 switch and FR4-18i blade	55
Virtual ports and FCIP tunnels	56
Virtual Port Types	56
Compression on FCIP tunnels	57
Traffic shaping	57
FCIP services license	58
QoS implementation over FCIP	58
DSCP quality of service	58
L2CoS quality of service	58
When both DSCP and L2CoS are used	59
IPSec implementation over FCIP	59
IPsec configuration	61
IPsec parameters	61
Creating an IKE and IPsec policy	62
Displaying IKE and IPsec policy settings	63
Deleting an IKE and IPsec policy	63
Viewing IPsec information for an FCIP tunnel	64
Virtual Fabrics and FCIP	65
TCP Byte Streaming	65
Supported third party WAN optimizer hardware	65
Options for enhancing tape I/O performance	66
FCIP Fastwrite and OSTP	66
FCIP Fastwrite and OSTP configurations	67
Unsupported configurations for Fastwrite and OSTP	68
FCIP services configuration guidelines	70
Setting persistently disabled ports	71
Configuring VEX_Ports	71
Creating IP interfaces and routes	72
Creating an FCIP tunnel	75
Verifying the FCIP tunnel configuration	77
Enabling persistently disabled ports	79
Managing FCIP tunnels	81
Modifying and deleting QoS Settings	82
Deleting an FCIP tunnel	83
Deleting an IProute	83
Deleting an IP interface (IPIF)	84
Managing the VLAN tag table	84
FCIP Management and Troubleshooting	85
In this chapter	85
WAN performance analysis tools	85
The tperf option	85
The ipperf option	89
Ipperf performance statistics	90
Starting an ipperf session	90
Ipperf options	92
Using ping to test a connection	93
Using Traceroute	94
Portshow command usage	95
Displaying IP interfaces	95
Displaying IP routes	95
Displaying FCIP tunnel information	95
Displaying FCIP tunnel information (7800 switch and FX8-24 blade)	96
Displaying an FCIP tunnel with FCIP circuit information (7800 switch and FX8-24 blade)	96
Displaying FCIP tunnel performance (7800 switch and FX8-24 blade)	98
Displaying FCIP tunnel TCP connections (7800 switch and FX8-24 blade)	98
Displaying FCIP circuits (7800 switch and FX8-24 blade)	100
Displaying a single circuit	101
Displaying FCIP circuit performance (7800 switch and FX8-24 blade)	101
Displaying QoS prioritization for a circuit	102
Displaying FCIP tunnel information (7500 switch/FR4-18i blade)	103
FCIP tunnel issues	106
FCIP links	108
Gathering additional information	109
FTRACE concepts	110
Displaying the trace for a tunnel	111
Deleting an FTRACE configuration for a tunnel	112
Example of capturing an FTRACE on a tunnel	113

Match case Limit results 1 per page

Fabric OS FCIP Administrator’s Guide

53-1001766-01

IPSec implementation over FCIP

When both DSCP and L2CoS are used

If an FCIP tunnel is not VLAN tagged, only DSCP is relevant. If the FCIP tunnel is VLAN tagged, both

DSCP and L2CoS are relevant, unless the VLAN is end-to-end, with no intermediate hops in the IP

network. The following table shows the default mapping of DSCP priorities to L2Cos priorities per

tunnel ID. This may be helpful when consulting with the network administrator. These values may

be modified per FCIP tunnel.

IPSec implementation over FCIP

Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure

communications over Internet Protocol networks. IPsec supports network-level data integrity, data

confidentiality, data origin authentication, and replay protection. It helps secure your SAN against

network-based attacks from untrusted computers, attacks that can result in the denial-of-service of

applications, services, or the network, data corruption, and data and user credential theft. By

default, when creating an FCIP tunnel, IPsec is disabled.

Used to provide greater security in tunneling on an FR4-18i blade or a Brocade 7500 Extension

Switch, the IPsec feature does not require you to configure separate security for each application

that uses TCP/IP. When configuring for IPsec, however, you must ensure that there is an FR4-18i

blade or a Brocade 7500 Extension Switch at each end of the FCIP tunnel. IPsec works on FCIP

tunnels with or without IP compression (IPComp), FCIP Fastwrite, and OSTP. IPsec can only be

created on tunnels using IPv4 addressing.

IPsec requires the

High-Performance Extension over FCIP/FC license

TABLE 8

Default Mapping of DSCP priorities to L2Cos Priorities

Virtual CIrcuit (VC)

DSCP priority/bits

L2CoS priority/bits

Assigned to:

46 / 101110

7 / 111

Class F

7 / 000111

1 / 001

Medium QoS

11 / 001011

3 / 011

Medium QoS

15 / 001111

3 / 011

Medium QoS

19 / 010011

3 / 011

Medium QoS

23 / 010111

3 / 011

Medium QoS

27 / 011011

0 / 000

Class 3 Multicast

31 / 011111

0 / 000

Broadcast/Multicast

35 / 100011

0 / 000

Low Qos

39 / 100111

0 / 000

Low Qos

43 / 101011

4 / 100

High QoS

47 / 101111

4 / 100

High QoS

51 / 110011

4 / 100

High QoS

55 / 110111

4 / 100

High QoS

59 / 111011

4 / 100

High QoS

63 / 111111

0 / 000

Reserved