Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 20 - Page 62

Creating an IKE and IPsec policy, The Diffie-Hellman group. Supported groups are Group 1 and Group 14.

Add to My Manuals
Save this manual to your list of manuals

Page 62 highlights

3 IPSec implementation over FCIP The parameters listed inTable 11 can be modified. TABLE 11 Modifiable policy parameters Parameter Description Encryption Algorithm Authentication Algorithm Security Association lifetime in seconds PFS (Perfect Forward Secrecy) Diffie-Hellman group 3DES-168-bit key AES-128-128-bit key (default) AES-256-256-bit key SHA-1-Secure Hash Algorithm (default) MD5-Message Digest 5 AES-XCBC-Used only for IPsec Security association lifetime in seconds. A new key is renegotiated before seconds expires. seconds must be between 28800 to 250000000 or 0. The default is 28800. Applies only to IKE policies. Choices are On/Off and default is On. Group 1-768 bits (default) Group 14-2048 bits Creating an IKE and IPsec policy For a complete description of the policy command, see the Fabric OS Command Reference. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the policy command to create IKE and IPsec policies: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] Where: type and number The type of policy being created (IKE or IPsec) and the number for this type of policy. To easily determine how many policies have been created, consider using sequential numbering. The range of valid values is any whole number from 1 through 32. encryption_method The supported type of encryption. Valid options are 3DES, AES-128, and AES-256. AES-128 is the default. authentication_algorithm The authentication algorithm. Valid options are SHA-1, MD5, and AES-XCBC (IPsec only). SHA-1 is the default. DH_Group The Diffie-Hellman group. Supported groups are Group 1 and Group 14. Group 1 is the default. secs The security association lifetime in seconds. 28800 is the default. The following example shows how to create IKE policy number 10 using 3DES encryption, MD5 authentication, and Diffie-Hellman Group 1: switch:admin> policy --create ike 10 -enc 3des -auth md5 -dh 1 The following policy has been set: 48 Fabric OS FCIP Administrator's Guide 53-1001766-01

Section	Page
Contents	5
About This Document	9
In this chapter	9
How this document is organized	9
Supported hardware and software	9
What’s new in this document	10
Document conventions	10
Text formatting	10
Command syntax conventions	11
Notes, cautions, and warnings	11
Key terms	11
Notice to the reader	12
Additional information	12
Brocade resources	12
Other industry resources	12
Getting technical help	13
Document feedback	14
FCIP overview	15
In this chapter	15
FCIP platforms and supported features	15
FCIP concepts	17
IP WAN network considerations	17
FCIP on the 7800 Switch and FX8-24 Blade	19
In this chapter	19
7800 switch hardware overview	20
7800 switch license options	20
VE_Ports and FCIP tunnels on the 7800 switch	21
FCIP trunking capacity on the 7800 switch	21
FX8-24 blade hardware overview	22
FX8-24 blade licensing options	24
VE_Ports and FCIP tunnels on the FX8-24 blade	24
FCIP trunking capacity on the FX8-24 blade	24
FCIP trunking	24
Design for redundancy and fault tolerance	25
FCIP tunnel restrictions for FCP and FICON acceleration features	25
FCIP circuits	25
FCIP circuit failover capabilities	26
Bandwidth calculation during failover	27
Adaptive Rate Limiting	28
FSPF link cost calculation when ARL is used	28
QoS SID/DID priorities over an FCIP trunk	29
QOS, DSCP, and VLANs	30
DSCP quality of service	30
VLANs and layer two quality of service	30
When both DSCP and L2CoS are used	30
DSCP and VLAN support on FCIP circuits	31
Managing the VLAN tag table	33
Compression options	34
IPSec implementation over FCIP tunnels	34
Limitations in using IPSec over FCIP tunnels	34
IPSec for the 7800 and FX8-24 blade	35
Enabling IPSec and IKE policies	35
Open Systems Tape Pipelining	37
FCIP Fastwrite and OSTP configurations	37
Support for IPv6 Addressing	38
IPv6 with Embedded IPv4 Addresses	39
Configuration preparation	40
Configuration steps	40
Setting VE_ports to persistently disabled state	41
Configuring VEX_ports	41
Configuring the media type for GbE ports 0 and 1 (7800 switch only)	41
Setting the GbE port operating mode (FX8-24 blade only)	42
Configuring a GbE or XGE port IP address	43
Configuring an IP route	44
Validating IP connectivity	44
Creating an FCIP tunnel	45
Creating additional FCIP circuits	49
Verifying the FCIP tunnel configuration	49
Enabling persistently disabled ports	50
Modifying an FCIP tunnel	51
Modifying an FCIP circuit	51
Deleting an IP interface	51
Deleting an IP route	52
Deleting an FCIP tunnel	52
Deleting an FCIP circuit	52
Virtual fabrics and the FX8-24 blade	52
FCIP on the 7500 Switch and FR4-18i Blade	53
In this chapter	53
The 7500 switch and FR4-18i blade	54
7500 switch and FR4-18i blade ports	55
FCIP Design Considerations for the 7500 switch and FR4-18i blade	55
Virtual ports and FCIP tunnels	56
Virtual Port Types	56
Compression on FCIP tunnels	57
Traffic shaping	57
FCIP services license	58
QoS implementation over FCIP	58
DSCP quality of service	58
L2CoS quality of service	58
When both DSCP and L2CoS are used	59
IPSec implementation over FCIP	59
IPsec configuration	61
IPsec parameters	61
Creating an IKE and IPsec policy	62
Displaying IKE and IPsec policy settings	63
Deleting an IKE and IPsec policy	63
Viewing IPsec information for an FCIP tunnel	64
Virtual Fabrics and FCIP	65
TCP Byte Streaming	65
Supported third party WAN optimizer hardware	65
Options for enhancing tape I/O performance	66
FCIP Fastwrite and OSTP	66
FCIP Fastwrite and OSTP configurations	67
Unsupported configurations for Fastwrite and OSTP	68
FCIP services configuration guidelines	70
Setting persistently disabled ports	71
Configuring VEX_Ports	71
Creating IP interfaces and routes	72
Creating an FCIP tunnel	75
Verifying the FCIP tunnel configuration	77
Enabling persistently disabled ports	79
Managing FCIP tunnels	81
Modifying and deleting QoS Settings	82
Deleting an FCIP tunnel	83
Deleting an IProute	83
Deleting an IP interface (IPIF)	84
Managing the VLAN tag table	84
FCIP Management and Troubleshooting	85
In this chapter	85
WAN performance analysis tools	85
The tperf option	85
The ipperf option	89
Ipperf performance statistics	90
Starting an ipperf session	90
Ipperf options	92
Using ping to test a connection	93
Using Traceroute	94
Portshow command usage	95
Displaying IP interfaces	95
Displaying IP routes	95
Displaying FCIP tunnel information	95
Displaying FCIP tunnel information (7800 switch and FX8-24 blade)	96
Displaying an FCIP tunnel with FCIP circuit information (7800 switch and FX8-24 blade)	96
Displaying FCIP tunnel performance (7800 switch and FX8-24 blade)	98
Displaying FCIP tunnel TCP connections (7800 switch and FX8-24 blade)	98
Displaying FCIP circuits (7800 switch and FX8-24 blade)	100
Displaying a single circuit	101
Displaying FCIP circuit performance (7800 switch and FX8-24 blade)	101
Displaying QoS prioritization for a circuit	102
Displaying FCIP tunnel information (7500 switch/FR4-18i blade)	103
FCIP tunnel issues	106
FCIP links	108
Gathering additional information	109
FTRACE concepts	110
Displaying the trace for a tunnel	111
Deleting an FTRACE configuration for a tunnel	112
Example of capturing an FTRACE on a tunnel	113

Match case Limit results 1 per page

Fabric OS FCIP Administrator’s Guide

53-1001766-01

IPSec implementation over FCIP

The parameters listed in

Table 11

can be modified.

Creating an IKE and IPsec policy

For a complete description of the

policy

command, see the

Fabric OS Command Reference

Connect to the switch and log in using an account assigned to the admin role.

Enter the

policy

command to create IKE and IPsec policies:

policy --create

type

number

[-enc

encryption_method

][-auth

authentication_algorithm]

[-pfs off|on] [-dh

DH_group

]

[-seclife

secs]

Where:

type

and

number

The type of policy being created (IKE or IPsec) and the number for this type of

policy. To easily determine how many policies have been created, consider

using sequential numbering. The range of valid values is any whole number

from 1 through 32.

encryption_method

The supported type of encryption. Valid options are 3DES, AES-128, and

AES-256. AES-128 is the default.

authentication_algorithm

The authentication algorithm. Valid options are SHA-1, MD5, and AES-XCBC

(IPsec only). SHA-1 is the default.

DH_Group

The Diffie-Hellman group. Supported groups are Group 1 and Group 14.

Group 1 is the default.

secs

The security association lifetime in seconds. 28800 is the default.

The following example shows how to create IKE policy number 10 using 3DES encryption, MD5

authentication, and Diffie-Hellman Group 1:

switch:admin>

policy --create ike 10 -enc 3des -auth md5 -dh 1

The following policy has been set:

TABLE 11

Modifiable policy parameters

Parameter

Description

Encryption Algorithm

3DES—168-bit key

AES-128—128-bit key (default)

AES-256—256-bit key

Authentication Algorithm

SHA-1—Secure Hash Algorithm (default)

MD5—Message Digest 5

AES-XCBC—Used only for IPsec

Security Association lifetime in seconds

Security association lifetime in seconds. A new key is renegotiated

before seconds expires. seconds must be between 28800 to

250000000 or 0. The default is 28800.

PFS (Perfect Forward Secrecy)

Applies only to IKE policies. Choices are On/Off and

default is On.

Diffie-Hellman group

Group 1—768 bits (default)

Group 14—2048 bits