Home » Dell Manuals » Servers » Dell 8 » Manual Viewer

Dell 8 Web Tools Administrator’s Guide - Page 262

IPsec over FCIP, Accessing the IPsec Policies dialog box

Add to My Manuals
Save this manual to your list of manuals

Page 262 highlights

17 IPsec over FCIP DRAFT: BROCADE CONFIDENTIAL DH group choices are 1(modp768), 2(modp1024), 14(modp2048), and 18(modp8192). Each group provides an incrementally more secure key exchange by providing more bits (768, 1024, 2048, 8192). Authentication methods The methods used to authenticate the IKE peer are preshared key (psk), DSS digital signature (dss), and RSA digital signature (rsasig): • A Preshared key (PSK) is a shared secret that is shared between two parties over a secure channel before it is used. Typically, the PSK is a password or pass phrase. PSKs are created in the end systems used by the two parties. There are several tools available to help select a strong key that will work with various operating systems. When choosing a tool and creating a PSK, keep in mind that the cryptographic strength of a key generally increases with length. • The Digital Signature Standard (DSS) makes use of a private key to generate a digital signature. Each user possesses a private and public key pair. Signature generation can be performed only by the possessor of the user's private key. The digital signature is sent to the intended verifier in a message. The verifier of the message and signature verifies the signature by using the sender's public key. • The RSA digital signature process uses a private key to encrypt only the message digest. The encrypted message digest becomes the digital signature and is attached to the original data. To verify the contents of digitally signed data, the recipient generates a new message digest from the data that was received, decrypts the original message digest with the originator's public key, and compares the decrypted digest with the newly generated digest. If the two digests match, the integrity of the message is verified. The identity of the originator also is confirmed because the public key can decrypt only data that has been encrypted with the corresponding private key. IPsec over FCIP 7500 extension switches and FR4-81i blades use FCIP protocol to IP to carry Fibre Channel traffic over IP networks. IPsec can be used to secure the IP flows over an FCIP tunnel. At a high level, the steps to take are: • Access the IPsec Policies dialog box. • Create an IKE policy for authentication. • Create a security association (SA). • Create an SA proposal. • Add an IPsec Transform policy, referencing the IKE policy and the SA proposal. • Add an IPsec selector that allows you to apply a Transform policy to a specific IP flow. • Enable the policy. Accessing the IPsec Policies dialog box Use the following procedure to access the IPsec Policies dialog box. 1. Open the Switch Administration window. 2. Select Show Advanced Mode. 234 Web Tools Administrator's Guide 53-1001772-01

Section	Page
Contents	5
Figures	17
Tables	19
About This Document	21
In this chapter	21
How this document is organized	21
Supported hardware and software	22
What’s new in this document	23
Document conventions	24
Text formatting	24
Notes, cautions, and warnings	24
Key terms	25
Notice to the reader	25
Additional information	25
Brocade resources	25
Other industry resources	26
Getting technical help	26
Document feedback	27
Introducing Web Tools	29
In this chapter	29
Web Tools overview	29
Web Tools, the EGM license, and DCFM	29
Web Tools features enabled by the EGM license	30
Web Tools functionality moved to DCFM	31
System requirements	32
Setting refresh frequency for Internet Explorer	33
Deleting temporary internet files used by Java applications	34
Java installation on the workstation	34
Installing the JRE on your Solaris or Linux client workstation	35
Installing patches on Solaris	35
Installing the Java plug-in on Windows	35
Java plug-in configuration	36
Configuring the Java plug-in for Windows	36
Configuring the Java plug-in for Mozilla family browsers	36
Value line licenses	37
Opening Web Tools	37
Logging in	39
Logging out	41
Role-Based Access Control	42
Session management	42
Ending a Web Tools session	43
Web Tools system logs	43
Requirements for IPv6 support	44
Using the Web Tools Interface	45
In this chapter	45
Viewing Switch Explorer	45
Changes for consistency with DCFM	48
Persisting GUI preferences	50
Tasks	50
Fabric Tree	51
Changing the Admin Domain context	51
Switch View buttons	53
Switch View	53
Switch Events and Switch Information	55
Free Professional Management tool	56
Displaying tool tips	56
Right-click options	57
Refresh rates	58
Displaying switches in the fabric	58
Working with Web Tools: recommendations	59
Opening a Telnet or SSH client window	59
Collecting logs for troubleshooting	60
Managing Fabrics and Switches	61
In this chapter	61
Fabric and switch management overview	61
Opening the Switch Administration window	63
Configuring IP and subnet mask information	64
Configuring Auto Refresh	64
Configuring a syslog IP address	65
Removing a syslog IP address	65
Configuring IP Filtering	66
Blade management	66
Enabling or disabling a blade	66
Setting a slot-level IP address	67
Viewing IP addresses	68
Switch configuration	68
Enabling and disabling a switch	68
Changing the switch name	69
Changing the switch domain ID	69
Viewing and printing a switch report	69
Switch restart	70
Performing a fast boot	70
Performing a reboot	70
System configuration parameters	70
WWN-based Persistent PID assignment	71
Configuring fabric settings	71
Enabling insistent domain ID mode	72
Configuring virtual channel settings	73
Configuring arbitrated loop parameters	73
Configuring system services	74
Configuring signed firmware	74
Licensed feature management	75
Activating a license on a switch	75
Assigning slots for a license key	76
Removing a license from a switch	76
Universal time-based licensing	77
High Availability overview	77
Admin Domain considerations	77
Launching the High Availability window	77
Synchronizing services on the CP	80
Initiating a CP failover	81
Event monitoring	81
Displaying Switch Events	82
Filtering Switch Events	83
Filtering events by event severity levels	83
Filtering events by message ID	83
Filtering events by service component	84
Displaying the Name Server entries	84
Printing the Name Server entries	85
Displaying Name Server information for a particular device	85
Displaying zone members for a particular device	85
Physically locating a switch using beaconing	85
Locating logical switches using chassis beaconing	86
Virtual Fabrics overview	86
Selecting a logical switch from the Switch View	86
Viewing logical ports	87
Maintaining Configurations and Firmware	89
In this chapter	89
Creating a configuration backup file	89
Restoring a configuration	91
Admin Domain configuration maintenance	92
Uploading and downloading from USB storage	93
Performing a firmware download	93
SAS and SA firmware download	95
Switch configurations for mixed fabrics	95
Enabling interoperability	96
Managing Administrative Domains	97
In this chapter	97
Administrative Domain overview	97
Requirements for Admin Domains	97
User-defined Admin Domains	98
System-defined Admin Domains	98
Admin Domain membership	99
Enabling Admin Domains	99
Admin Domain window	100
Opening the Admin Domain window	103
Refreshing fabric information	104
Refreshing Admin Domain information	104
Saving local Admin Domain changes	104
Closing the Admin Domain window	105
Creating and populating domains	105
Creating an Admin Domain	105
Adding ports or switches to the fabric	106
Activating or deactivating an Admin Domain	107
Modifying Admin Domain members	107
Renaming Admin Domains	108
Deleting Admin Domains	108
Clearing the Admin Domain configuration	109
Managing Ports	111
In this chapter	111
Port management overview	111
Opening the Port Administration window	111
Port Administration window components	112
Controllable ports	114
Configuring FC ports	115
Allowed port types	116
Long distance mode	117
Ingress rate limit	117
FC Fastwrite	117
Assigning a name to a port	117
Port beaconing	118
Enabling and disabling a port	118
Considerations for enabling or disabling a port?	119
Persistent enabling and disabling ports	119
Enabling and disabling NPIV ports	120
Port activation	121
Enabling Ports on Demand	122
Enabling Dynamic Ports on Demand	122
Disabling Dynamic Ports on Demand	123
Reserving and releasing licenses on a port basis	123
Port swapping index	124
Port swapping	124
Determining if a port index was swapped with another switch port	125
Configuring BB credits on an F_Port	125
Enabling ISL Trunking	127
In this chapter	127
ISL Trunking overview	127
Disabling or enabling ISL Trunking	127
Admin Domain considerations	128
Viewing trunk group information	128
F_Port trunk groups	129
Creating and maintaining F_Port trunk groups	129
Monitoring Performance	131
In this chapter	131
Performance Monitor overview	131
Basic monitoring	131
Advanced monitoring	131
Performance graphs	132
Admin Domain considerations	132
Predefined performance graphs	133
User-defined graphs	135
Canvas configurations	136
Opening the Performance Monitoring window	136
Creating basic performance monitor graphs	137
Customizing basic monitoring graphs	137
Advanced performance monitoring graphs	139
Creating SID-DID Performance graphs	139
Creating the SCSI vs. IP Traffic graph	140
Creating SCSI command graphs	140
Tunnel and TCP performance monitoring graphs	141
Tunnel and TCP graph chart properties	142
Saving graphs to a canvas	142
Adding graphs to an existing canvas	144
Printing graphs	144
Modifying graphs	145
Administering Zoning	147
In this chapter	147
Zoning overview	147
Basic zones	147
Traffic Isolation zones	148
LSAN zone requirements	148
QoS zone requirements	148
Zoning configurations	149
Opening the Zone Administration window	149
Setting the default zoning mode	149
Zoning management	149
Refreshing fabric information	151
Refreshing Zone Administration window information	152
Saving local zoning changes	152
Selecting a zoning view	153
Creating and populating zone aliases	154
Adding and removing members of a zone alias	154
Renaming zone aliases	155
Deleting zone aliases	155
Creating and populating zones	156
Adding and removing members of a zone	156
Renaming zones	157
Cloning zones	157
Deleting zones	158
Creating and populating enhanced traffic isolation zones	158
Zone configuration and zoning database management	159
Creating zone configurations	159
Adding or removing zone configuration members	160
Renaming zone configurations	161
Cloning zone configurations	161
Deleting zone configurations	161
Enabling zone configurations	162
Disabling zone configurations	162
Displaying enabled zone configurations	163
Viewing the enabled zone configuration name without opening the Zone Administration window	163
Viewing detailed information about the enabled zone configuration	163
Adding a WWN to multiple aliases and zones	164
Removing a WWN from multiple aliases and zones	164
Replacing a WWN in multiple aliases and zones	165
Searching for zone members	165
Clearing the zoning database	166
Zone configuration analysis	166
Best practices for zoning	166
Working with Diagnostic Features	167
In this chapter	167
Trace dumps	167
How a trace dump is used	168
Setting up automatic trace dump transfers	168
Specifying a remote server	168
Enabling automatic transfer of trace dumps	169
Disabling automatic trace uploads	169
Displaying switch information	169
Viewing detailed fan hardware status	170
Viewing the temperature status	171
Viewing the power supply status	171
Checking the physical health of a switch	172
Defining Switch Policy	173
Port LED interpretation	174
Port icon colors	174
LED representations	175
Brocade 48000 Director LEDs	176
Using the FC-FC Routing Service	177
In this chapter	177
Fibre Channel Routing overview	177
Supported switches for Fibre Channel Routing	178
Setting up FC-FC routing	178
FC-FC routing management	178
Opening the FC Routing module	179
Viewing and managing LSAN fabrics	180
Viewing EX_Ports	181
Configuring an EX_Port	183
Editing the configuration of an EX_Port	183
Configuring FCR router port cost	183
Viewing LSAN zones	184
Viewing LSAN devices	184
Configuring the backbone fabric ID	184
Using the Access Gateway	187
In this chapter	187
Access Gateway overview	187
Viewing Switch Explorer for Access Gateway mode	188
Access Gateway mode	189
Restricted access in the Port Administration window	189
Enabling Access Gateway mode	190
Disabling Access Gateway mode	191
Viewing the Access Gateway settings	191
Port configuration	191
Creating port groups	192
Editing or viewing port groups	192
Deleting port groups	193
Defining custom F-N port mapping	194
Defining custom WWN-N port mappings	194
Access Gateway policy modification	195
Path Failover and Failback policies	195
Modifying Path Failover and Failback policies	195
Enabling the Automatic Port Configuration policy	195
Access Gateway limitations on the Brocade 8000	196
Administering Fabric Watch	199
In this chapter	199
Fabric Watch overview	199
Using Fabric Watch with Web Tools	200
Opening the Fabric Watch window	201
System Monitor	201
Fabric Watch threshold configuration	201
Configuring threshold traits	202
Configuring threshold alarms	202
Enabling or disabling threshold alarms for individual elements	204
Configuring alarms for FRUs	204
Fabric Watch alarm information	205
Viewing an alarm configuration report	205
Displaying alarms	205
E-mail notification	206
Configuring the e-mail server on a switch	206
Configuring the e-mail alert	207
Administering Extended Fabrics	209
In this chapter	209
Extended link buffer allocation overview	209
Configuring a port for long distance	211
Administering the iSCSI Target Gateway	213
In this chapter	213
iSCSI service overview	213
Supported platforms for iSCSI	214
Common iSCSI Target Gateway Admin functions	214
Terminology	214
Saving changes	215
Setting up iSCSI Target Gateway services	216
Launching the iSCSI Target Gateway Admin Module	216
Launching the iSCSI setup wizard	217
Activating the iSCSI feature	217
Encryption services for the iSCSI Target Gateway	217
Configuring the IP interface	217
Editing an IP Address	218
Configuring the IP route (optional)	219
Editing the IP route	219
Creating iSCSI virtual targets	219
Using Easy Create to create iSCSI virtual targets	220
Editing an iSCSI target	220
Searching for a specific Fibre Channel target	221
Viewing iSCSI initiators	221
Discovery Domain management	221
Discovery domains	221
Creating a discovery domain	222
Editing a discovery domain	222
Discovery domain sets	223
Creating a discovery domain set	223
Editing a discovery domain set	223
CHAP configuration	223
Creating a CHAP user	224
Editing a CHAP secret	224
Binding or removing CHAP users	224
Connection redirection	225
Enabling or disabling connection redirection	225
iSCSI Fibre Channel zone configuration	225
Creating an iSCSI Fibre Channel zone with no effective zone configuration	226
Creating an iSCSI Fibre Channel zone with an effective zone configuration	226
Managing and troubleshooting accessibility	227
Routing Traffic	229
In this chapter	229
Routing overview	229
Viewing fabric shortest path first routing	230
Configuring dynamic load sharing	231
Lossless dynamic load sharing	231
Specifying frame order delivery	232
Configuring the link cost for a port	232
Configuring Standard Security Features	235
In this chapter	235
User-defined accounts	235
Virtual Fabrics considerations	236
Admin Domain considerations	236
Viewing user account information	237
Creating user-defined accounts	237
Deleting user-defined accounts	240
Changing user account parameters	240
Maintaining passwords	241
Access control list policy configuration	243
Virtual Fabrics considerations	244
Admin Domain considerations	244
Creating an SCC, DCC, or FCS policy	244
Editing an SCC, DCC, or FCS policy	244
Deleting all SCC, DCC, or FCS policies	245
Activating all SCC, DCC, or FCS policies	245
Distributing an SCC, DCC, or FCS policy	246
Moving an FCS policy switch position	246
Fabric-Wide Consistency Policy configuration	246
Authentication policy configuration	247
Configuring authentication policies for E_Ports	247
Configuring authentication policies for F_Ports	248
Distributing authentication policies	248
Re-authenticating policies	249
Setting a shared secret key pair	249
Modifying a shared secret key pair	249
Setting the Switch Policy Authentication mode	250
SNMP configuration	250
Setting SNMP trap levels	250
Changing the systemGroup configuration parameters	250
Setting SNMPv1 configuration parameters	251
Setting SNMPv3 configuration parameters	251
Changing the access control configuration	252
RADIUS management	252
Enabling and disabling RADIUS	253
Configuring RADIUS	253
Modifying the RADIUS server	254
Modifying the RADIUS server order	254
Removing a RADIUS server	255
Active Directory service management	255
Enabling Active Directory service	255
Modifying Active Directory service	256
Removing Active Directory service	256
IPsec concepts	256
Transport mode and tunnel mode	257
IPsec header options	258
Basic IPsec configurations	259
Internet Key Exchange concepts	260
IPsec over FCIP	262
Accessing the IPsec Policies dialog box	262
Establishing an IKE policy for an FCIP tunnel	263
Establishing an IPsec policy for an FCIP tunnel	263
IPsec over management ports	264
Enabling the Ethernet IPsec policies	264
Establishing an IKE policy	264
Creating a security association	265
Creating an SA proposal	266
Adding an IPsec transform policy	266
Adding an IPsec selector	267
Manually creating an SA	268
Editing an IKE or IPsec policy	269
Deleting an IKE or IPsec policy	269
Establishing authentication policies for HBAs	269
Administering FICON CUP Fabrics	271
In this chapter	271
FICON CUP fabrics overview	271
Enabling port-based routing	272
Enabling or disabling FICON Management Server mode	272
FMS parameter configuration	273
Configuring FMS mode parameters	274
Displaying code page information	274
Viewing the control device state	275
CUP port connectivity configuration	276
Viewing CUP port connectivity configurations	276
Modifying CUP port connectivity configurations	277
Activating a CUP port connectivity configuration	278
Copying a CUP port connectivity configuration	279
Deleting a CUP port connectivity configuration	279
CUP logical path configuration	279
Viewing CUP logical path configurations	279
Configuring CUP logical paths	280
Link Incident Registered Recipient configuration	280
Viewing Link Incident Registered Recipient configurations	280
Configuring LIRRs	280
Displaying Request Node Identification Data	281
Configuring FCoE with Web Tools	283
In this chapter	283
Web Tools and FCoE overview	284
Web Tools, the EGM license, and DCFM	284
Port information that is unique to FCoE	284
Switch administration and FC0E	285
FC0E configuration tasks	285
Quality of Service configuration	286
Adding a CEE map	286
Adding a traffic class map	287
LLDP-DCBX configuration	287
Configuring global LLDP characteristics	287
Adding an LLDP profile	289
Configuring CEE interfaces	290
Configuring a link aggregation group	291
Configuring VLANs	291
Configuring FCoE login groups	292
Displaying FCoE port information	293
Displaying LAG information	294
Displaying VLAN information	294
Displaying FCoE login groups	294
Displaying QoS information	294
Displaying LLDP-DCBX information	295
Displaying CEE interface statistics	295
Configuring a CEE interface from the Switch View	295
Configuring a CEE interface from the Port Admin panel	295
Enabling and disabling a LAG	296
Enabling and disabling LLDP	296
Enabling and disabling QoS priority-based flow control	296
Enabling and disabling FCoE ports	297
Limitations	299
In this chapter	299
General Web Tools limitations	299

Match case Limit results 1 per page

234

Web Tools Administrator’s Guide

53-1001772-01

IPsec over FCIP

DRAFT: BROCADE CONFIDENTIAL

DH group choices are 1(modp768), 2(modp1024), 14(modp2048), and 18(modp8192). Each

group provides an incrementally more secure key exchange by providing more bits (768, 1024,

2048, 8192).

Authentication methods

The methods used to authenticate the IKE peer are preshared key (psk), DSS digital signature

(dss), and RSA digital signature (rsasig):

•

A Preshared key (PSK) is a shared secret that is shared between two parties over a secure

channel before it is used. Typically, the PSK is a password or pass phrase. PSKs are created in

the end systems used by the two parties. There are several tools available to help select a

strong key that will work with various operating systems. When choosing a tool and creating a

PSK, keep in mind that the cryptographic strength of a key generally increases with length.

•

The Digital Signature Standard (DSS) makes use of a private key to generate a digital

signature. Each user possesses a private and public key pair. Signature generation can be

performed only by the possessor of the user's private key. The digital signature is sent to the

intended verifier in a message. The verifier of the message and signature verifies the signature

by using the sender's public key.

•

The RSA digital signature process uses a private key to encrypt only the message digest. The

encrypted message digest becomes the digital signature and is attached to the original data.

To verify the contents of digitally signed data, the recipient generates a new message digest

from the data that was received, decrypts the original message digest with the originator's

public key, and compares the decrypted digest with the newly generated digest. If the two

digests match, the integrity of the message is verified. The identity of the originator also is

confirmed because the public key can decrypt only data that has been encrypted with the

corresponding private key.

IPsec over FCIP

7500 extension switches and FR4-81i blades use FCIP protocol to IP to carry Fibre Channel traffic

over IP networks. IPsec can be used to secure the IP flows over an FCIP tunnel.

At a high level, the steps to take are:

•

Access the IPsec Policies dialog box.

•

Create an IKE policy for authentication.

•

Create a security association (SA).

•

Create an SA proposal.

•

Add an IPsec Transform policy, referencing the IKE policy and the SA proposal.

•

Add an IPsec selector that allows you to apply a Transform policy to a specific IP flow.

•

Enable the policy.

Accessing the IPsec Policies dialog box

Use the following procedure to access the

IPsec Policies

dialog box.

Open the

Switch Administration

window.

Select

Show Advanced Mode

Dell 8 Web Tools Administrator&#8217;s Guide - Page 262

IPsec over FCIP, Accessing the IPsec Policies dialog box

Page 262 highlights

Dell 8 Web Tools Administrator’s Guide - Page 262