HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.2.0b Release Notes (AA-RWEYB - Page 17

Tunnel mode in Encapsulating Security Payload ESP

Get HP StorageWorks 2/16V - SAN Switch PDF manuals and user guides View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

FC Routing Security Diagnostics HA IPSec for B-Series MP Router blade (FR4-18i) • If an HP StorageWorks MP Router is present in the backbone fabric, the command fcrDisable may take up to 8 minutes to complete. If the MP Router is replaced by a B-Series MP Router blade (FR4-18i) or an HP StorageWorks 400 MP Router, the command completes immediately. • EX_Port trunking is not enabled by default. Remove any password enforced expiration of admin or root accounts before downgrading firmware to 5.0.1 or lower versions. • All offline diagnostics commands should be used only when the switch is disabled. • POST can fail if new SFPs are added during POST. SFPs should only be added while the switch is "online" or if the switch is powered off. • When you use the diagnostic commands systemVerification and diagSetBurnin, the switch or blade will fault when the burn-in error log is full. Clear the burn-in log before running systemVerification or diagSetBurnin. • If there are ISLs present on the switch that are not used for routing because they have higher linkcosts, disable the links before running spinfab. If there is an already segmented port and backbone devices are exported to an edge fabric, a build fabric/fabric reconfiguration can occur after running haFailover. Ensure that there are no segmented ports before upgrading firmware. • IPSec implementation details: -Pre-shared key -Main mode (IKE negotiation protocol) -Tunnel mode in Encapsulating Security Payload (ESP) • IPSec specific statistics not provided. • No NAT or IPV6 support • FastWrite and Tape Pipelining will not be supported in conjunction with secure tunnels. • Jumbo frames will not be supported on secure tunnels. • ICMP redirect is not supported for IPSec-enabled tunnels. • Only a single secure tunnel will be allowed on a port. Non-secure tunnels will not be allowed on the same port as secure tunnels. • Modify operations are not allowed on secure tunnels. To change the configuration of a secure tunnel, you must first delete the tunnel and then recreate it with the desired options. • Only a single route is supported on an interface with a secure tunnel. • An IPSec tunnel cannot be created using the same local IP address if ipperf is active and using the same local IP address (source IP address). • Unidirectional supported throughput is ~104Mbytes/sec and bidirectional supported throughput is ~90Mbytes/sec. • An IPSec tunnel takes longer to come online than a non-IPSec tunnel. Fabric OS 5.2.0b 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
FC Routing
If an HP StorageWorks MP Router is present in the backbone fabric, the
command
fcrDisable
may take up to 8 minutes to complete. If the
MP Router is replaced by a B-Series MP Router blade (FR4-18i) or an HP
StorageWorks 400 MP Router, the command completes immediately.
EX_Port trunking is not enabled by default.
Security
Remove any password enforced expiration of
admin
or
root
accounts
before downgrading firmware to 5.0.1 or lower versions.
Diagnostics
All offline diagnostics commands should be used only when the switch
is disabled.
POST can fail if new SFPs are added during POST. SFPs should only be
added while the switch is “online” or if the switch is powered off.
When you use the diagnostic commands
systemVerification
and
diagSetBurnin
, the switch or blade will fault when the burn-in error
log is full. Clear the burn-in log before running
systemVerification
or
diagSetBurnin
.
If there are ISLs present on the switch that are not used for routing because
they have higher linkcosts, disable the links before running
spinfab
.
HA
If there is an already segmented port and backbone devices are exported
to an edge fabric, a build fabric/fabric reconfiguration can occur after
running
haFailover
. Ensure that there are no segmented ports before
upgrading firmware.
IPSec for B-Series MP
Router blade (FR4-18i)
IPSec implementation details:
—Pre-shared key
—Main mode (IKE negotiation protocol)
—Tunnel mode in Encapsulating Security Payload (ESP)
IPSec specific statistics not provided.
No NAT or IPV6 support
FastWrite and Tape Pipelining will not be supported in conjunction with
secure tunnels.
Jumbo frames will not be supported on secure tunnels.
ICMP redirect is not supported for IPSec-enabled tunnels.
Only a single secure tunnel will be allowed on a port. Non-secure tunnels
will not be allowed on the same port as secure tunnels.
Modify operations are not allowed on secure tunnels. To change the
configuration of a secure tunnel, you must first delete the tunnel and then
recreate it with the desired options.
Only a single route is supported on an interface with a secure tunnel.
An IPSec tunnel cannot be created using the same local IP address if
ipperf is active and using the same local IP address (source IP address).
Unidirectional supported throughput is ~104Mbytes/sec and
bidirectional supported throughput is ~90Mbytes/sec.
An IPSec tunnel takes longer to come online than a non-IPSec tunnel.
Fabric OS 5.2.0b
17