Home » HP Manuals » Storage Devices » HP StorageWorks 1606 » Manual Viewer

HP StorageWorks 1606 Brocade Fabric OS Administrator's Guide v6.3.0 (53-100133 - Page 192

IPsec protocols, Endpoint-to-Gateway Tunnel, RoadWarrior configuration

View all HP StorageWorks 1606 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 192 highlights

7 Management interface security Endpoint-to-Gateway Tunnel In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate network through an IPsec-protected tunnel. It might use this tunnel only to access information on the corporate network, or it might tunnel all of its traffic back through the corporate network in order to take advantage of protection provided by a corporate firewall against Internet-based attacks. In either case, the protected endpoint will want an IP address associated with the security gateway so that packets returned to it will go to the security gateway and be tunneled back. FIGURE 13 Endpoint to gateway tunnel configuration RoadWarrior configuration In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and decrypts the packets on behalf of the hosts on a protected network. A combination of the two is referred to as a RoadWarrior configuration where a host on the internet requires access to a network through a security gateway that is protecting the network. IPsec protocols IPsec uses two different protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), to ensure the authentication, integrity and confidentiality of the communication. To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has access to the secret key. To protect against denial of service attacks, the IPsec protocols use a sliding window. Each packet gets assigned a sequence number and is only accepted if the packet's number is within the window or newer. Older packets are immediately discarded. This protects against replay attacks where the attacker records the original packets and replays them later. 150 Fabric OS Administrator's Guide 53-1001336-01

Section	Page
Contents	5
Figures	25
Tables	29
About This Document	33
In this chapter	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	36
Text formatting	36
Command syntax conventions	37
Notes, cautions, and warnings	37
Key terms	37
Notice to the reader	38
Additional information	38
Brocade resources	38
Other industry resources	38
Getting technical help	39
Document feedback	40
Performing Basic Configuration Tasks	43
In this chapter	43
Fabric OS overview	43
Fabric OS command line interface	44
Console sessions using the serial port	44
Telnet or SSH sessions	45
Getting help on a command	46
Password modification	47
Default account passwords	47
The Ethernet interface on your switch	48
Virtual Fabrics and the Ethernet interface	48
Displaying the network interface settings	48
Static Ethernet addresses	49
DHCP activation	50
IPv6 autoconfiguration	52
Date and time settings	53
Setting the date and time	53
Time zone settings	53
Network time protocol	55
Domain IDs	56
Displaying the domain IDs	56
Setting the domain ID	57
Switch names	57
Customizing the switch name	58
Chassis names	58
Customizing chassis names	58
Switch activation and deactivation	58
Disabling a switch	58
Enabling a switch	59
Switch and enterprise-class platform shutdown	59
Powering off a Brocade switch	59
Powering off a Brocade enterprise-class platform	59
Basic connections	60
Device connection	60
Switch connection	60
Performing Advanced Configuration Tasks	63
In this chapter	63
PIDs and PID binding overview	63
Core PID addressing mode	64
Fixed addressing mode	64
10-bit addressing mode	64
256-area addressing mode	65
WWN-based PID assignment	65
Ports	67
Setting port names	68
Port identification by slot and port number	68
Port identification by port area ID	69
Port identification by index	69
Swapping port area IDs	70
Port activation and deactivation	70
Setting port speeds	71
Setting the same speed for all ports on the switch	71
Blade terminology and compatibility	72
CP blades	73
Core blades	74
Port and application blade compatibility	74
Enabling and disabling blades	75
Enabling blades	75
Disabling blades	76
Blade swapping	76
Swapping blades	77
Swapping blades	79
Power conservation	79
Powering off a port blade	80
Powering on a port blade	80
Inter-chassis links	80
Supported topologies	81
Gateway links	82
Configuring a link through a gateway	83
Equipment status	83
Checking switch operation	83
Verifying High Availability features (directors and enterprise-class platforms only)	83
Verifying fabric connectivity	85
Verifying device connectivity	85
Track and control switch changes	85
Enabling the track changes feature	86
Displaying the status of the track changes feature	86
Viewing the switch status policy threshold values	86
Setting the switch status policy threshold values	87
Audit log configuration	88
Auditable event classes	89
Verifying host syslog prior to configuring the audit log	90
Configuring an audit log for specific event classes	90
High availability of daemon processes	91
Understanding Fibre Channel Services	93
In this chapter	93
Fibre Channel services overview	93
The Management Server	94
Platform services	94
Platform services in a Virtual Fabric	94
Enabling platform services	95
Disabling platform services	95
Management server database	95
Displaying the management server ACL	96
Adding a member to the ACL	96
Deleting a member from the ACL	97
Viewing the contents of the management server database	98
Clearing the management server database	99
Topology discovery	99
Displaying topology discovery status	99
Enabling topology discovery	99
Disabling topology discovery	99
Routing Traffic	101
About this chapter	101
Routing overview	101
Path versus route selection	101
FSPF	102
Fibre Channel NAT	102
Routing policies	103
Displaying the current routing policy	103
Exchange-based routing	104
Port-based routing	104
AP route policy	104
Routing in Virtual Fabrics	105
Route selection	106
Dynamic load sharing	106
Static route assignment	106
Frame order delivery	107
Forcing in-order frame delivery across topology changes	108
Restoring out-of-order frame delivery across topology changes	108
Lossless Dynamic Load Sharing on ports	108
Configuring lossless dynamic load sharing on ports	108
Lossless dynamic load sharing in Virtual Fabrics	108
Frame Redirection	109
Creating a frame redirect zone	110
Deleting a frame redirect zone	110
Viewing redirect zones	110
Managing User Accounts	111
In this chapter	111
User accounts overview	111
Role-Based Access Control (RBAC)	112
The management channel	115
Local database user accounts	116
Default accounts	116
Local account passwords	117
Local account database distribution	118
Distributing the local user database	118
Accepting distribution of user databases on the local switch	118
Rejecting distributed user databases on the local switch	119
Password policies	119
Password strength policy	119
Password history policy	120
Password expiration policy	121
Account lockout policy	121
The boot PROM password	123
Setting the boot PROM password for a switch with a recovery string	123
Setting the boot PROM password for a director with a recovery string	124
Setting the boot PROM password for a switch without a recovery string	125
Setting the boot PROM password for a director without a recovery string	126
The authentication model using RADIUS and LDAP	127
Setting the switch authentication mode	129
Fabric OS user accounts	129
Fabric OS users on the RADIUS server	130
The RADIUS server	133
LDAP configuration and Microsoft Active Directory	139
Authentication servers on the switch	142
Configuring local authentication as backup	143
Configuring Standard Security Features	145
In this chapter	145
Security protocols	145
Secure Copy	146
Setting up SCP for configUploads and downloads	147
Secure Shell protocol	147
SSH public key authentication	148
Secure Sockets Layer protocol	150
Browser and Java support	150
SSL configuration overview	150
Certificate authorities	151
The browser	153
Root certificates for the Java Plug-in	154
Simple Network Management Protocol	155
SNMP and Virtual Fabrics	156
The security level	156
The snmpConfig command	157
Telnet protocol	157
Blocking Telnet	157
Unblocking Telnet	158
Listener applications	159
Ports and applications used by switches	159
Port configuration	160
Configuring Advanced Security Features	161
In this chapter	161
ACL policies overview	161
How the ACL policies are stored	161
Policy members	162
ACL policy management	162
Displaying ACL policies	163
Saving changes without activating the policies	163
Activating policy changes	163
Deleting an ACL policy	163
Adding a member to an existing ACL policy	164
Removing a member from an ACL policy	164
Aborting unsaved policy changes	164
FCS policies	165
FCS policy restrictions	165
Ensuring fabric domains share policies	166
Creating an FCS policy	166
Modifying the order of FCS switches	167
FCS policy distribution	167
DCC policies	168
DCC policy restrictions	169
Creating a DCC policy	169
Deleting a DCC policy	170
SCC policies	171
Creating an SCC policy	171
Authentication policy for fabric elements	172
E_Port authentication	173
Device authentication policy	174
AUTH policy restrictions	175
Authentication protocols	175
Secret key pairs	177
Fabric-wide distribution of the Auth policy	178
IP Filter policy	179
Creating an IP Filter policy	179
Cloning an IP Filter policy	179
Displaying an IP Filter policy	179
Saving an IP Filter policy	180
Activating an IP Filter policy	180
Deleting an IP Filter policy	180
IP Filter policy rules	180
IP Filter policy enforcement	182
Adding a rule to an IP Filter policy	183
Deleting a rule to an IP Filter policy	183
Aborting an IP Filter transaction	183
IP Filter policy distribution	183
Policy database distribution	184
Database distribution settings	185
ACL policy distribution to other switches	186
Fabric-wide enforcement	186
Notes on joining a switch to the fabric	188
Management interface security	190
Configuration examples	191
IPsec protocols	192
Security associations	193
Authentication and encryption algorithms	193
IPsec policies	194
IKE policies	194
Creating the tunnel	196
Example of an End-to-End Transport Tunnel mode	197
Maintaining the Switch Configuration File	201
In this chapter	201
Configuration settings	201
Configuration file format	202
Configuration file backup	204
Uploading a configuration file in interactive mode	205
Configuration file restoration	205
Restrictions	206
Configuration download without disabling a switch	207
Configuration restoration in a FICON environment	209
Configurations across a fabric	210
Downloading a configuration file from one switch to another same model switch	210
Security considerations	211
Configuration Management for Virtual Fabrics	211
Uploading a config file from a switch with Virtual Fabrics enabled	211
Restoring a logical switch using configDownload	212
Restrictions	213
Brocade configuration form	213
Installing and Maintaining Firmware	215
In this chapter	215
Firmware download process overview	215
Upgrading and downgrading firmware	216
Considerations for FICON CUP environments	217
HA sync state	217
Preparing for a firmware download	218
Connected switches	219
Finding the switch firmware version	219
Obtain and decompress firmware	219
Firmware download on switches	220
Switch firmware download process overview	220
Firmware download on an enterprise-class platform	222
Enterprise-class platform firmware download process overview	222
Firmware download from a USB device	226
Enabling USB	226
Viewing the USB file system	226
Downloading from USB using the relative path	226
Downloading from USB using the absolute path	226
SAS and SA applications	227
Downloading an application	227
FIPS Support	228
Public and Private Key Management	228
The firmwareDownload Command	229
Power-on Firmware Checksum Test	230
Test and restore firmware on switches	230
Testing a different firmware version on a switch	230
Test and restore firmware on enterprise-class platforms	232
Testing different firmware versions on enterprise-class platforms	232
Validating a firmware download	235
Managing Virtual Fabrics	237
In this chapter	237
Virtual Fabrics overview	237
Logical switch overview	238
Default logical switch	238
Logical switches and fabric IDs	240
Port assignment in logical switches	240
Logical switches and connected devices	241
Logical fabric overview	242
Logical fabric and ISLs	243
Logical fabric and ISL sharing	244
Management model for logical switches	247
Account management and Virtual Fabrics	248
Supported platforms for Virtual Fabrics	248
Supported port configurations in the Brocade 5100 and 5300	248
Supported port configurations in the Brocade DCX and DCX-4S	248
Virtual Fabrics interaction with other Fabric OS features	249
Limitations and restrictions of Virtual Fabrics	250
Restrictions on moving ports	251
Enabling Virtual Fabrics	251
Disabling Virtual Fabrics	252
Configuring logical switches to use basic configuration values	253
Creating a logical switch or base switch	253
Executing a command in a different logical fabric context	255
Deleting a logical switch	256
Adding and removing ports on a logical switch	256
Displaying logical switch configuration	257
Changing the fabric ID of a logical switch	258
Changing a logical switch to a base switch	259
Configuring a logical switch to use XISLs	260
Changing the context to a different logical fabric	261
Creating a logical fabric using XISLs	261
Administering Advanced Zoning	263
In this chapter	263
Special zones	263
Zoning overview	264
Zone types	265
Zone objects	266
Zone aliases	267
Zone configurations	268
Zoning enforcement	268
Considerations for zoning architecture	269
Best practices for zoning	270
Broadcast zones	270
Broadcast zones and Admin Domains	271
Broadcast zones and FC-FC routing	272
High availability considerations with broadcast zones	272
Loop devices and broadcast zones	272
Broadcast zones and default zoning	272
Zone aliases	273
Creating an alias	273
Adding members to an alias	273
Removing members from an alias	274
Deleting an alias	274
Viewing an alias in the defined configuration	275
Zone creation and maintenance	275
Creating a zone	275
Adding devices (members) to a zone	276
Removing devices (members) from a zone	276
Deleting a zone	277
Viewing a zone in the defined configuration	277
Validating a zone	277
Default zoning mode	278
Setting the default zoning mode	279
Viewing the current default zone access mode	279
Zoning database size	280
Zoning configurations	280
Creating a zoning configuration	280
Adding zones (members) to a zoning configuration	281
Removing zones (members) from a zone configuration	281
Enabling a zone configuration	282
Disabling a zone configuration	282
Deleting a zone configuration	283
Clearing changes to a configuration	283
Viewing all zone configuration information	283
Viewing selected zone configuration information	284
Viewing the configuration in the effective zone database	284
Clearing all zone configurations	285
Zone object maintenance	285
Copying a zone object	285
Deleting a zone object	286
Renaming a zone object	287
Zoning configuration management	287
New switch or fabric additions	287
Fabric segmentation and zoning	289
Security and zoning	289
Zone merging scenarios	290
Managing iSCSI Gateway Service	293
In this chapter	293
iSCSI gateway service overview	293
iSCSI session translation	294
Basic and advanced LUN mapping	295
iSCSI component identification of the IQN prefix	296
Access control with discovery domains	297
Switch-to-iSCSI initiator authentication	298
Load balancing through connection redirection	298
Supported iSCSI initiators	300
Checklist for configuring iSCSI	300
FC4-16IP blade configuration	302
FC4-16IP port numbering	302
Enabling the iSCSI gateway service	303
Enabling GbE ports	304
Configuring the GbE interface	305
iSCSI virtual target configuration	306
Automatic iSCSI VT creation	307
Manual iSCSI VT creation	309
Displaying the iSCSI virtual target LUN map	312
Displaying iSCSI VT state and status	313
Discovery domain and domain set configuration	313
Displaying iSCSI initiator IQNs	314
Creating discovery domains	314
Creating and enabling a discovery domain set	314
iSCSI initiator-to-VT authentication configuration	315
Setting the user name and shared secret	315
Binding user names to an iSCSI VT	315
Deleting user names from an iSCSI VT binding list	316
Displaying CHAP configurations	316
Committing the iSCSI-related configuration	316
Resolving conflicts between iSCSI configurations	317
LUN masking considerations	318
iSCSI FC zoning overview	318
iSCSI FC zone creation	319
Zoning configuration creation	323
Creating and enabling a zoning configuration	323
iSNS client service configuration	324
Displaying iSNS client service status	325
Enabling the iSNS client service	325
Disabling the iSNS client service	326
Clearing the iSNS client configuration	326
Administering NPIV	327
In this chapter	327
NPIV overview	327
Fixed addressing mode	327
10-Bit addressing mode	327
Enabling and disabling NPIV	328
Configuring NPIV	328
Viewing NPIV port configuration information	329
Viewing virtual PID login information	331
Interoperability for Merged SANs	333
In this chapter	333
Interoperability overview	333
Connectivity solutions	334
Domain ID offset modes	335
Configuring the Domain_ID offset	336
McDATA Fabric mode configuration restrictions	336
McDATA Open Fabric mode configuration restrictions	337
Interoperability support for logical switches	338
Switch configurations for interoperability	338
Enabling McDATA Open Fabric mode	339
Enabling McDATA Fabric mode	339
Enabling Brocade Native mode	340
Zone management in interoperable fabrics	341
Zoning restrictions	341
Zone name restrictions	342
Zoning modes	342
Setting the safe zone mode on a stand-alone switch	343
Setting the safe zone mode fabric-wide	343
Disabling safe zone mode	343
Effective zone configuration	343
Saving the effective zone configuration to the Defined Database	344
Frame Redirection in interoperable fabrics	344
Traffic Isolation zones in interoperable fabrics	345
Brocade SANtegrity implementation in mixed fabric SANS	345
Fabric OS Layer 2 Fabric Binding	346
E_Port authentication between Fabric OS and M-EOS switches	346
Switch authentication policy	348
Dumb switch authentication	351
Authentication of EX_Port, VE_Port, and VEX_Port connections	352
Authentication of VE_Port-to-VE_Port connections	353
Authentication of VEX_Port-to-VE_Port connections	356
Authentication of VEX_Port-to-VEX_Port connections	357
FCR SANtegrity	357
Fabric Binding behavior in a mixed fabric	358
Configuring the preferred domain ID and the insistent domain ID	358
FICON implementation in a mixed fabric	359
Fabric OS version change restrictions in an interoperable environment	359
Coordinated Hot Code Load	360
Bypassing the Coordinated HCL check on firmware download	360
Coordinated HCL on switches firmware downloads	361
Upgrade and downgrade considerations for HCL for interoperability	361
McDATA-aware features	361
McDATA-unaware features	362
M-EOS feature limitations in mixed fabrics	364
Supported hardware in an interoperable environment	365
Supported features in an interoperable environment	368
Unsupported features in an interoperable environment	370
Managing Administrative Domains	371
In this chapter	371
Administrative Domains overview	371
Admin Domain features	373
Requirements for Admin Domains	373
Admin Domain access levels	374
User-defined Administrative Domains	374
System-defined Administrative Domains	374

Match case Limit results 1 per page

150

Fabric OS Administrator’s Guide

53-1001336-01

Management interface security

Endpoint-to-Gateway Tunnel

In this scenario, a protected endpoint (typically a portable computer) connects back to its corporate

network through an IPsec-protected tunnel. It might use this tunnel only to access information on

the corporate network, or it might tunnel all of its traffic back through the corporate network in

order to take advantage of protection provided by a corporate firewall against Internet-based

attacks. In either case, the protected endpoint will want an IP address associated with the security

gateway so that packets returned to it will go to the security gateway and be tunneled back.

FIGURE 13

Endpoint to gateway tunnel configuration

RoadWarrior configuration

In endpoint-to-endpoint security, packets are encrypted and decrypted by the host which produces

or consumes the traffic. In the gateway-to-gateway example, a router on the network encrypts and

decrypts the packets on behalf of the hosts on a protected network. A combination of the two is

referred to as a RoadWarrior configuration where a host on the internet requires access to a

network through a security gateway that is protecting the network.

IPsec protocols

IPsec uses two different protocols, Authentication Header (AH) and Encapsulating Security Payload

(ESP), to ensure the authentication, integrity and confidentiality of the communication.

To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication

codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to

calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then

included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has

access to the secret key.

To protect against denial of service attacks, the IPsec protocols use a sliding window. Each packet

gets assigned a sequence number and is only accepted if the packet's number is within the window

or newer. Older packets are immediately discarded. This protects against replay attacks where the

attacker records the original packets and replays them later.