Home » HP Manuals » Storage Devices » HP 8/20q » Manual Viewer

HP 8/20q HP StorageWorks 8/20q and SN6000 Fibre Channel Switch Enterprise Fabr - Page 104

Security policies

Add to My Manuals
Save this manual to your list of manuals

Page 104 highlights

Security policies A security policy defines the following parameters: • Connection source and destination • Data traffic direction: inbound or outbound • Protocols for which to protect data traffic • Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP) • Level of protection: IP Security, discard, or none Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections; one policy for each direction. For example, to secure the connection between two hosts, you need two policies: one for outbound traffic from the source to the destination, and another for inbound traffic to the source from the destination. You can specify sources and destinations by IP addresses (version 4 or 6) or DNS host names. If a host name resolves to more than one IP address, the switch creates the necessary policies and associations. You can recognize these dynamic policies and associations because their names begin with DynamicSP_ and DynamicSA_ respectively. You can apply IP security to all communication between two systems, or to select protocols, such as ICMP, TCP, or UDP. Furthermore, instead of applying IP security, you can choose to discard all inbound or outbound traffic, or allow all traffic without encryption. Both the AH and ESP security protocols provide source authentication, ensure data integrity, and protect against replay. To create a policy, click Add on the Security Policy Database side of the Create IPsec Configuration dialog box. This opens the Create IPsec Security Policy dialog box (Figure 58). Table 17 describes the fields in the Create IP Security Policy dialog box. Figure 58 Create IP Security Policy dialog box Table 17 Create IP Security Policy dialog box fields Field Description Name Name of policy Description Description of policy Source Address Source port number (1-65535) Source Prefix Length Length of prefix in source address 104 Managing Switches

Section	Page
Contents	3
Using Enterprise Fabric Management Suite	11
Installing Enterprise Fabric Management Suite	11
Table 1 Workstation requirements	11
Figure 1 Enterprise Fabric Management Suite installation	11
Starting Enterprise Fabric Management Suite	12
Figure 2 Initial Start dialog box	12
Figure 3 Add a New Fabric dialog box	13
Exiting Enterprise Fabric Management Suite	13
Figure 4 Save Default Fabric View File dialog box	13
Figure 5 Load Default Fabric View File dialog box	14
Uninstalling Enterprise Fabric Management Suite	14
Changing the encryption key for the default fabric view file	14
Saving and opening fabric view files	15
Setting Enterprise Fabric Management Suite preferences	15
Figure 6 Preferences dialog box—Enterprise Fabric Management Suite	15
Using online help	16
Viewing software version and copyright information	16
Enterprise Fabric Management Suite user interface	17
Figure 7 Topology display elements	17
Figure 8 SN6000 Fibre Channel Switch faceplate display	17
Figure 9 SN6000 Fibre Channel Switch backplate display	18
Fabric tree	18
Figure 10 Fabric tree	18
Graphic window	19
Data windows and tabs	19
Alerts panel	20
Figure 11 Alerts panel	20
Menu bars	21
Topology display menu	21
Table 2 Topology menu bar options	21
Faceplate display menu	22
Table 3 Faceplate menu bar options	22
Popup menus	25
Menu Shortcut keys	25
Tool bar	26
Table 4 Tool bar options	26
Working with switches and links	26
Working with ports	27
Managing Fabrics	29
Fabric firmware and software versions	29
Saving a version snapshot	29
Viewing and comparing version snapshots	29
Figure 12 Fabric Version Snapshot Analysis dialog box	29
Exporting version snapshots to a file	30
Managing the fabric database	30
Adding a fabric	30
Figure 13 Add a New Fabric dialog box	30
Removing a fabric	31
Opening a fabric view file	31
Saving a fabric view file	31
Rediscovering a fabric	31
Deleting switches and links	32
Adding a new switch to a fabric	32
Replacing a failed switch	32
Displaying fabric information	33
Link data window	33
Figure 14 Link data window	33
Displaying fabric status	34
Table 5 Topology display switch and status icons	34
Event browser	34
Figure 15 Event browser dialog box	35
Table 6 Port operational states	35
Filtering the event browser	36
Figure 16 Filter Events dialog box	36
Sorting the Event Browser	36
Saving the Event Browser to a file	36
Verifying Fibre Channel connections	36
FC Ping dialog box	37
Figure 17 FC Ping dialog box	37
FC Traceroute dialog box	38
Figure 18 FC TraceRoute dialog box	38
Device information and nicknames	38
Devices data window	39
Figure 19 Devices data window	39
Table 7 Devices data window fields	39
Figure 20 Detailed Devices Display window	40
Managing device port nicknames	40
Creating a nickname	40
Editing a nickname	41
Deleting a nickname	41
Exporting nicknames to a file	41
Importing a nicknames file	41
Fabric services	41
Enabling SNMP configuration	42
Enabling in-band management	42
Transparent router	42
Viewing inter-fabric routes	43
Transparent Routes data window	44
Figure 21 Transparent Routes data window	44
Table 8 Transparent Routes data window fields	44
Figure 22 Transparent Route dialog box	45
TR Mapping Manager dialog box	45
Figure 23 TR Mapping Manager dialog box	45
Adding an inter-fabric route	46
Figure 24 Add TR Mapping dialog box	46
Removing an inter-fabric route	47
Creating a zoning commands text file	47
Figure 25 Remote Fabric Zoning dialog box	47
Managing Fabric Zoning	49
Zoning concepts	49
Zones	49
Aliases	49
Zone sets	49
Zoning database	50
Using the Zoning Wizard	50
Managing the zoning database	50
Viewing zoning limits and properties	50
Viewing active and configured zone set information	51
Figure 26 Active Zoneset data window	51
Figure 27 Configured Zoneset data window	52
Editing the zoning database	52
Figure 28 Edit Zoning dialog box	52
Table 9 Edit Zoning dialog box tool bar	53
Table 10 Port/device icons	54
Configuring the zoning database	54
Figure 29 Zoning Config dialog box	54
Merge Auto Save	54
Default Zone	55
Discard Inactive	55
Saving and restoring the zoning database to a file	55
Saving the zoning database to a file	55
Restoring the zoning database from a file	55
Restoring the default zoning database	55
Removing all zone and zone set definitions	56
Merging fabrics and zoning	56
Zone merge failure	56
Zone merge failure recovery	56
Resolving active, configured, and merged zone sets	57
Managing zone sets	57
Creating a zone set	57
Activating and deactivating a zone set	58
Renaming a zone set	58
Removing a zone set	59
Managing zones	59
Creating a zone in a zone set	59
Copying a zone to a zone set	60
Adding zone members	60
Renaming a zone	61
Removing a zone member	62
Removing a zone from a zone set	62
Removing a zone from all zone sets	62
Managing aliases	63
Creating an alias	63
Adding a member to an alias	63
Removing an alias from all zones	64
Managing Fabric Security	65
Connection security	65
User account security	65
Port security	66
Figure 30 Port Binding dialog box	66
Device security	66
Figure 31 Edit Security dialog box	67
Managing the security database	67
Viewing the device security database	68
Figure 32 Configured Security data window	68
Figure 33 Active Security data window	68
Configuring the security data base	69
Figure 34 Security Config dialog box	69
Saving the security database to a file	69
Restoring the security database from a file	70
Resetting the security database	70
Managing security sets	70
Creating a security set	70
Figure 35 Create a Security Set dialog box	70
Removing a security set	71
Renaming a security set	71
Adding an existing group to a security set	71
Removing a group from a security set	71
Removing a group from all security sets	72
Activating a security set	72
Deactivating a security set	72
Managing security groups and members	72
Creating a security group	72
Figure 36 Create a Security Group dialog box	72
Creating a security group member	73
Figure 37 Create a Security Group Member dialog box	73
Modifying a security group member	74
Removing a member from a group	74
Using RADIUS servers	74
Adding a RADIUS server	75
Figure 38 Radius Server Information dialog box—Add server	75
Removing a RADIUS server	76
Figure 39 Radius Server Information dialog box—Remove server	76
Editing RADIUS server information	77
Figure 40 Radius Server Information dialog box—Edit server	77
Modifying authentication order RADIUS server information	78
Figure 41 Radius Server Information dialog box—Modify authentication order	78
Managing Switches	79
Managing user accounts	79
Creating user accounts	80
Figure 42 User Account Administration dialog box—Add account	80
Removing a user account	80
Figure 43 User Account Administration dialog box—Remove account	81
Changing a user account password	81
Figure 44 User Account Administration dialog box—Change password	82
Modifying a user account	82
Figure 45 User Account Administration dialog box—Modify account	83
Viewing switch information	83
Switch data window	84
Figure 46 Switch data window	84
Figure 47 Switch data window buttons	84
Table 11 Switch data window fields	84
Stack Links data window	89
Figure 48 Stack Links data window	89
Table 12 Stack Links data window	89
Configuring port threshold alarms	90
Figure 49 Port Threshold Alarm Configuration dialog box	90
Figure 50 Port threshold alarm example	91
Paging a switch	91
Setting the date/time and enabling NTP client	91
Figure 51 Date/Time dialog box	92
Resetting a switch	93
Table 13 Switch resets	93
Configuring a switch	93
Using the configuration wizard	93
Switch properties	93
Figure 52 Switch Properties dialog box	94
Domain ID and Domain ID lock	94
Syslog	94
Symbolic name	95
Switch administrative states	95
Broadcast support	95
In-band management	95
Fabric device management interface	95
Advanced switch properties (timeout values)	96
Figure 53 Advanced Switch Properties dialog box	96
Managing system services	97
Figure 54 System Services dialog box	97
Managing switch stacks	98
Configuring switches in a stack	98
Security consistency checklist	99
Figure 55 Security Consistency Checklist dialog box	99
Configuring the network	99
Figure 56 Network Properties dialog boxes	100
Network IP configuration	100
Table 14 Network Properties dialog box—IP fields	101
Network DNS configuration	102
Table 15 Network Properties dialog box—DNS fields	102
Network IP Security	103
Figure 57 IPsec Configuration dialog box	103
Table 16 IPsec Configuration dialog box buttons	103
Security policies	104
Figure 58 Create IP Security Policy dialog box	104
Table 17 Create IP Security Policy dialog box fields	104
Security associations	106
Figure 59 Create IP Security Association dialog box	106
Table 18 Create IP Security Association dialog box fields	106
Configuring SNMP	107
SNMP configuration and trap configuration parameters	107
Figure 60 SNMP Properties dialog box	108
Table 19 SNMP Properties dialog box fields	108
SNMP v3 security	109
Figure 61 SNMP v3 Manager dialog box	109
Adding an SNMP v3 user	110
Figure 62 SNMP v3 User Editor dialog box	110
Table 20 SNMP v3 User Editor dialog box fields	110
Modifying an SNMP v3 user	111
Removing an SNMP v3 user	111
Configuring Call Home	111
Figure 63 Call Home Setup dialog box	111
Table 21 Call Home Setup dialog box fields	112
Using the Call Home profile manager	113
Figure 64 Call Home Profile Manager dialog box	113
Creating a profile	114
Figure 65 Call Home Profile Editor dialog box	114
Table 22 Call Home Editor dialog box fields	114
Editing a profile	115
Copying a profile	115
Applying all profiles on a switch to other switches	116
Figure 66 Call Home Profile Multiple Switch Apply dialog box	116
Using the Call Home message queue	117
Figure 67 Call Home Message Queue dialog box	117
Testing Call Home profiles	117
Figure 68 Call Home Test Profile dialog box	117
Changing SMTP servers	117
Figure 69 Call Home Change Over dialog box	117
Testing a switch	118
Figure 70 Switch Diagnostics dialog box	118
Archiving a switch	119
Restoring a switch	120
Figure 71 Restore dialog boxes—full and selective	120
Restoring the factory default configuration	121
Table 23 Factory default configuration settings	121
Installing feature license keys	122
Figure 72 Feature Licenses dialog box	123
Figure 73 Add License Key dialog box	123
Downloading a support file	123
Figure 74 Download Support File dialog box	123
Installing firmware	124
Figure 75 Load Firmware dialog box for a single switch	125
Figure 76 Load Firmware dialog box for a stack	125
Managing Ports	127
Viewing port information	127
Port Information data window	127
Figure 77 Port Information data window	127
Table 24 Port Information data window buttons	127
Table 25 Port Information data window—Summary	128
Table 26 Port Information data window—Advanced	129
Table 27 Port Information data window—Extended Credits	129
Table 28 Port Information data window—Media	129
Table 29 Port Information data window—Digital Diagnostics Monitoring	130
Figure 78 Detailed Media Display dialog box	130
Port Statistics data window	131
Figure 79 Port Statistics data window	131
Table 30 Port Statistics data window fields	131
Configuring ports	134
Figure 80 Port Properties dialog box	134
Table 31 Port Properties dialog box fields	134
Port symbolic name	135
Port types	135
Table 32 Port types	135
Port states	136
Table 33 Port operational states	136
Table 34 Port administrative states	137
Port speeds	137
Table 35 Port speeds	137
Port media status	138
Table 36 Port media status	138
I/O StreamGuard	138
Device Scan	138
Auto Performance Tuning and AL Fairness	139
Figure 81 Advanced Port Properties dialog box	139
Using the Extended Credits wizard	139
Table 37 Extended Credits—Minimum Cable Lengths	140
Figure 82 Extended Credit Wizard dialog box	140
Moving a licensed port	141
Figure 83 Move Port License dialog box	141
Resetting a port	141
Testing ports	141
Figure 84 Port Diagnostics dialog box	142
Graphing port performance	143
Figure 85 EFMS Performance View graph	143
Starting EFMS Performance View	143
Exiting EFMS Performance View	143
Figure 86 Save Default Fabric View File dialog box—EFMS Performance View	144
Figure 87 Load Default Fabric View File dialog box—EFMS Performance View	144
Saving and opening Fabric View files	144
Changing the default Fabric View file encryption key for EFMS Performance View	144
Setting EFMS Performance View preferences	145
Figure 88 Preferences dialog box—EFMS Performance View	145
Setting the polling frequency	145
Figure 89 Set Graph Polling Frequency dialog box	145
Displaying Graphs	146
Arranging graphs in the display	146
Customizing graphs	147
Figure 90 Default Graph Options dialog box	147
Setting global graph type	148
Rescaling a selected graph	148
Printing graphs	148
Saving graph statistics to a file	148
Support and Other Resources	149
Document conventions and symbols	149
Table 38 Document conventions	149
JDOM license	149
Contacting HP	150
HP contact information	150
Subscription service	150
Documentation feedback	150
Related information	150
Documents	150
Other HP websites	151
Glossary	153
Index	157
A	157
B	157
C	157
D	157
E	157
F	157
G	158
H	158
I	158
L	158
M	158
N	158
O	158
P	158
R	159
S	159
T	159
U	159
V	159
W	159
X	160

Match case Limit results 1 per page

104

Managing Switches

Security policies

A security policy defines the following parameters:

•

Connection source and destination

•

Data traffic direction: inbound or outbound

•

Protocols for which to protect data traffic

•

Security protocols; Authentication Header (AH) or Encapsulating Security Payload (ESP)

•

Level of protection: IP Security, discard, or none

Policies can define security for host-to-host, host-to-gateway, and gateway-to-gateway connections; one

policy for each direction. For example, to secure the connection between two hosts, you need two policies:

one for outbound traffic from the source to the destination, and another for inbound traffic to the source

from the destination. You can specify sources and destinations by IP addresses (version 4 or 6) or DNS host

names. If a host name resolves to more than one IP address, the switch creates the necessary policies and

associations. You can recognize these dynamic policies and associations because their names begin with

DynamicSP_ and DynamicSA_ respectively.

You can apply IP security to all communication between two systems, or to select protocols, such as ICMP,

TCP, or UDP. Furthermore, instead of applying IP security, you can choose to discard all inbound or

outbound traffic, or allow all traffic without encryption. Both the AH and ESP security protocols provide

source authentication, ensure data integrity, and protect against replay.

To create a policy, click

Add

on the Security Policy Database side of the Create IPsec Configuration dialog

box. This opens the Create IPsec Security Policy dialog box (

Figure 58

Table 17

describes the fields in the

Create IP Security Policy dialog box.

Figure 58

Create IP Security Policy dialog box

Table 17

Create IP Security Policy dialog box fields

Field

Description

Name

Name of policy

Description

Description of policy

Source Address

Source port number (1–65535)

Source Prefix Length

Length of prefix in source address