Home » Dell Manuals » Hubs & Switches » Dell Brocade 6520 » Manual Viewer

Dell Brocade 6520 Web Tools Administrator's Guide Supporting Fabric OS v7.1.0 - Page 219

Basic IPsec configurations, Encapsulating Security Payload, Endpoint to Endpoint

Add to My Manuals
Save this manual to your list of manuals

Page 219 highlights

IPsec concepts 15 Encapsulating Security Payload ESP provides authentication, and also provides privacy by encrypting the IP datagram. The use of an ESP header is similar to the use of the AH header. A hash algorithm is used to calculate an authentication value, the authentication value is sent in an IP datagram, and the same hash algorithm is used by the receiver to verify the authentication value. ESP can be used in either transport mode or tunnel mode, as shown in Figure 43. FIGURE 43 ESP header in transport mode and tunnel mode Basic IPsec configurations There are three basic configurations for IPsec use: • Endpoint to Endpoint • Gateway to Gateway • Endpoint to Gateway Endpoint to Endpoint In an endpoint to endpoint configuration, both endpoints implement IPsec. Transport mode is commonly used in endpoint to endpoint configurations, and only a single pair of addresses is used. Typically, this kind of configuration would be used for direct communication between hosts. There are two drawbacks to consider: • If network address translation (NAT) is used on the connection, one or both endpoints may be behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets. Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT node. • Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and firewall applications cannot access the packets, and does not work. Web Tools Administrator's Guide 191 53-1002756-01

Section	Page
Contents	5
Figures	17
Tables	19
About This Document	21
In this chapter	21
How this document is organized	21
Supported hardware and software	22
What’s new in this document	23
Document conventions	24
Text formatting	24
Notes, cautions, and warnings	25
Key terms	25
Notice to the reader	25
Additional information	26
Brocade resources	26
Other industry resources	26
Getting technical help	26
Document feedback	27
Introducing Web Tools	29
In this chapter	29
Web Tools overview	29
Web Tools, the EGM license, and Brocade Network Advisor	29
Web Tools features enabled by the EGM license	30
Web Tools functionality moved to Brocade Network Advisor	31
System requirements	32
Setting refresh frequency for Internet Explorer	33
Deleting temporary internet files used by Java applications	34
Java installation on the workstation	35
Installing the JRE on your Solaris or Linux client workstation	35
Installing patches on Solaris	35
Installing the Java plug-in on Windows	36
Java plug-in configuration	36
Configuring the Java plug-in for Windows	36
Configuring the Java Plug-in for Mozilla family browsers	36
Value line licenses	37
Opening Web Tools	38
Logging in	39
Logging out	41
Role-Based Access Control	41
Session management	42
Ending a Web Tools session	42
Web Tools system logs	43
Technical SupportSave logs	43
Requirements for IPv6 support	44
Using the Web Tools Interface	45
In this chapter	45
Viewing Switch Explorer	45
Persisting GUI preferences	47
Tabs	48
Fabric Tree	48
Switch View buttons	49
Switch View	49
Switch Events and Switch Information	51
Free Professional Management tool	52
Displaying tool tips	52
Right-click options	53
Refresh rates	53
Displaying switches in the fabric	54
Working with Web Tools: recommendations	54
Opening a Telnet or SSH client window	55
Collecting logs for troubleshooting	56
Managing Fabrics and Switches	57
In this chapter	57
Fabric and switch management overview	57
Opening the Switch Administration window	59
Configuring IP and subnet mask information	59
Configuring Netstat Auto Refresh	60
Configuring a syslog IP address	60
Removing a syslog IP address	60
Configuring IP Filtering	61
Blade management	61
Enabling or disabling a blade	62
Setting a slot-level IP address	62
Viewing IP addresses	63
Switch configuration	63
Enabling and disabling a switch	63
Enabling and disabling switch persistent	64
Changing the switch name	64
Changing the switch domain ID	65
Viewing and printing a switch report	65
Setting a principal switch	65
Switch restart	66
Performing a fast boot	66
Performing a reboot	67
System configuration parameters	67
WWN-based Persistent PID assignment	67
Configuring fabric settings	68
Enabling insistent domain ID mode	69
Configuring virtual channel settings	69
Configuring arbitrated loop parameters	70
Configuring system services	70
Configuring signed firmware	71
Licensed feature management	71
Activating a license on a switch	71
Assigning slots for a license key	72
Removing a license from a switch	72
Universal time-based licensing	73
High Availability overview	73
Launching the High Availability window	73
Synchronizing services on the CP	74
Initiating a CP failover	75
Event monitoring	75
Displaying Switch Events	77
Filtering Switch Events	77
Filtering events by event severity levels	77
Filtering events by message ID	78
Filtering events by service component	78
Displaying the Name Server entries	78
Printing the Name Server entries	79
Displaying Name Server information for a particular device	79
Displaying zone members for a particular device	79
Physically locating a switch using beaconing	80
Locating logical switches using chassis beaconing	80
Virtual Fabrics overview	80
Selecting a logical switch from the Switch View	81
Viewing logical ports	81
Maintaining Configurations and Firmware	83
In this chapter	83
Creating a configuration backup file	83
Restoring a configuration	84
Uploading and downloading from USB storage	85
Performing a firmware download	85
Managing Ports	87
In this chapter	87
Port management overview	87
Opening the Port Admin tab	88
Port Admin tab components	88
Controllable ports	91
Configuring FC ports	92
Allowed port types	93
Long distance mode	93
Ingress rate limit	94
Assigning a name to a port	95
Port beaconing	96
Enabling and disabling a port	96
Considerations for enabling or disabling a port	97
Persistent enabling and disabling ports	97
Configuring NPIV ports	98
Port activation	99
Enabling Ports on Demand	100
Enabling Dynamic Ports on Demand	100
Disabling Dynamic Ports on Demand	101
Diagnostic ports	101
Reserving and releasing licenses on a port basis	102
Port swapping index	102
Port swapping	103
Determining if a port index was swapped with another switch port	103
Configuring BB credits on an F_Port	104
Configuring ALPA	105
Configuring port octet speed combination	106
Configuring CSCTL	108
Configuring compression and encryption	109
Enabling/disabling encryption	109
Enabling/disabling compression	109
Displaying compression ratio	110
Forward Error Correction	110
Inband Management	110
GigE port modes	112
Enabling ISL Trunking	113
In this chapter	113
ISL Trunking overview	113
Disabling or enabling ISL Trunking	113
Viewing trunk group information	114
F_Port trunk groups	115
Creating and maintaining F_Port trunk groups	115
Monitoring Performance	117
In this chapter	117
Performance Monitor overview	117
Basic monitoring	117
Advanced monitoring	118
Performance graphs	118
Predefined performance graphs	118
User-defined graphs	121
Canvas configurations	121
Opening the Performance Monitor window	122
Creating basic performance monitor graphs	122
Customizing basic monitoring graphs	123
Advanced performance monitoring graphs	125
Creating SID-DID Performance graphs	125
Creating the SCSI vs. IP Traffic graph	126
Creating SCSI command graphs	126
Tunnel and TCP performance monitoring graphs	127
Tunnel and TCP graph chart properties	128
Saving graphs to a canvas	128
Adding graphs to an existing canvas	129
Printing graphs	129
Modifying graphs	129
Administering Zoning	131
In this chapter	131
Zoning overview	131
Basic zones	131
Traffic Isolation zones	131
LSAN zone requirements	132
QoS zone requirements	132
Zoning configurations	132
Opening the Zone Admin window	132
Setting the default zoning mode	133
Zoning management	133
Refreshing fabric information	135
Refreshing Zone Administration window information	136
Saving local zoning changes	136
Selecting a zoning view	137
Creating and populating zone aliases	137
Adding and removing members of a zone alias	138
Renaming zone aliases	139
Deleting zone aliases	139
Creating and populating zones	139
Adding and removing members of a zone	140
Renaming zones	141
Cloning zones	141
Deleting zones	142
Creating and populating enhanced traffic isolation zones	142
Zone configuration and zoning database management	143
Creating zone configurations	144
Adding or removing zone configuration members	144
Renaming zone configurations	145
Cloning zone configurations	145
Deleting zone configurations	145
Enabling zone configurations	146
Disabling zone configurations	146
Displaying enabled zone configurations	147
Viewing the enabled zone configuration name without opening the Zone Administration window	147
Viewing detailed information about the enabled zone configuration	147
Adding a WWN to multiple aliases and zones	148
Removing a WWN from multiple aliases and zones	148
Replacing a WWN in multiple aliases and zones	149
Searching for zone members	149
Clearing the zoning database	150
Zone configuration analysis	150
Best practices for zoning	150
Working with Diagnostic Features	151
In this chapter	151
Trace dumps	151
How a trace dump is used	152
Setting up automatic trace dump transfers	152
Specifying a remote server	152
Enabling automatic transfer of trace dumps	152
Disabling automatic trace uploads	153
Displaying switch information	153
Viewing detailed fan hardware status	154
Viewing the temperature status	154
Viewing the power supply status	155
Checking the physical health of a switch	155
Defining Switch Policy	156
Port LED interpretation	158
Port icon colors	158
Using the FC-FC Routing Service	159
In this chapter	159
Fibre Channel Routing overview	159
Supported switches for Fibre Channel Routing	160
Setting up FC-FC routing	160
FC-FC routing management	161
Opening the FC Routing module	161
Viewing and managing LSAN fabrics	162
Viewing EX-Ports	162
Configuring an EX-Port	163
Editing the configuration of an EX-Port	163
Configuring FCR router port cost	164
Viewing LSAN zones	164
Viewing LSAN devices	164
Configuring the backbone fabric ID	165
Using the Access Gateway	167
In this chapter	167
Access Gateway overview	167
Viewing Switch Explorer for Access Gateway mode	167
Access Gateway mode	168
Restricted access in the Port Admin tab	169
Enabling Access Gateway mode	169
Disabling Access Gateway mode	170
Viewing the Access Gateway settings	170
Port configuration	170
Creating port groups	171
Editing or viewing port groups	171
Deleting port groups	172
Defining custom primary F-N port mapping	172
Defining custom static F-N port mapping	173
Defining custom WWN-N port mappings	173
Access Gateway policy modification	174
Path Failover and Failback policies	174
Modifying Path Failover and Failback policies	174
Enabling the Automatic Port Configuration policy	174
Access Gateway limitations on the Brocade 8000	176
Administering Fabric Watch	177
In this chapter	177
Fabric Watch overview	177
Administering Extended Fabrics	179
In this chapter	179
Extended link buffer allocation overview	179
Configuring a port for long distance	182
Routing Traffic	185
In this chapter	185
Routing overview	185
Viewing fabric shortest path first routing	186
Configuring dynamic load sharing	187
Lossless dynamic load sharing	187
Specifying frame order delivery	188
Configuring the link cost for a port	188
Configuring Standard Security Features	191
In this chapter	191
User-defined accounts	191
Virtual Fabrics considerations	192
Viewing user account information	193
Creating user-defined accounts	193
Deleting user-defined accounts	195
Changing user account parameters	195
Maintaining passwords	196
User-defined roles	198
Guidelines and restrictions	198
Creating a user-defined role	199
Editing a user-defined role	200
Access control list policy configuration	201
Virtual Fabrics considerations	202
Creating an SCC, DCC, or FCS policy	202
Editing an SCC, DCC, or FCS policy	202
Deleting all SCC, DCC, or FCS policies	203
Activating all SCC, DCC, or FCS policies	203
Distributing an SCC, DCC, or FCS policy	203
Moving an FCS policy switch position	204
Configuring Advanced Device Security policy	204
Fabric-Wide Consistency Policy configuration	205
Authentication policy configuration	206
Configuring authentication policies for E_Ports	206
Configuring authentication policies for F_Ports	206
Distributing authentication policies	207
Re-authenticating policies	207
Setting a shared secret key pair	207
Modifying a shared secret key pair	208
Setting the Switch Policy Authentication mode	208
SNMP configuration	208
Setting SNMP trap levels	208
Changing the systemGroup configuration parameters	209
Setting SNMPv1 configuration parameters	209
Setting SNMPv3 configuration parameters	209
Changing the access control configuration	210
RADIUS management	210
Enabling and disabling RADIUS	211
Configuring RADIUS	211
Modifying the RADIUS server	212
Modifying the RADIUS server order	213
Removing a RADIUS server	213
Active Directory service management	213
Enabling Active Directory service	213
Modifying Active Directory service	214
Removing Active Directory service	214
TACACS+ management	215
Enabling and disabling TACACS+	215
Configuring TACACS+	215
Modifying TACACS+	215
Removing TACACS+	216
IPsec concepts	216
Transport mode and tunnel mode	217
IPsec header options	218
Basic IPsec configurations	219
Internet Key Exchange concepts	220
IPsec over management ports	222
Enabling the Ethernet IPsec policies	222
Establishing an IKE policy	223
Creating a security association	223
Creating an SA proposal	224
Adding an IPsec transform policy	225
Adding an IPsec selector	225
Manually creating an SA	226
Editing an IKE or IPsec policy	227
Deleting an IKE or IPsec policy	227
Establishing authentication policies for HBAs	228
Administering FICON CUP Fabrics	229
In this chapter	229
FICON CUP fabrics overview	229
Enabling port-based routing	230
Enabling or disabling FICON Management Server mode	231
FMS parameter configuration	231
Configuring FMS mode parameters	232
Displaying code page information	233
Viewing the control device state	233
Allow / Prohibit Matrix configuration	234
Viewing Allow / Prohibit Matrix configurations	235
Modifying Allow / Prohibit Matrix configurations	235
Activating an Allow / Prohibit Matrix configuration	237
Copying an Allow / Prohibit Matrix configuration	237
Deleting an Allow / Prohibit Matrix configuration	238
CUP logical path configuration	238
Viewing CUP logical path configurations	238
Configuring CUP logical paths	238
Link Incident Registered Recipient configuration	239
Viewing Link Incident Registered Recipient configurations	239
Configuring LIRRs	239
Displaying Request Node Identification Data	240
Configuring FCoE with Web Tools	241
In this chapter	241
Web Tools and FCoE overview	241
Web Tools, the EGM license, and Brocade Network Advisor	242
Port information that is unique to FCoE	242
Switch administration and FCoE	243
FC0E configuration tasks	243
Quality of Service configuration	243
Editing the DCB map	244
Adding a traffic class map	244
LLDP-DCBX configuration	245
Configuring global LLDP characteristics	245
Adding an LLDP profile	247
Configuring DCB interfaces	248
Configuring a link aggregation group	249
Configuring VLANs	250
Configuring FCoE login groups	251
Displaying FCoE port information	251
Displaying LAG information	252
Displaying VLAN information	253
Displaying FCoE login groups	253
Displaying QoS information	253
Displaying LLDP-DCBX information	253
Displaying DCB interface statistics	253
Configuring a DCB interface from the Switch View	254
Configuring a DCB interface from the Port Admin panel	254
Enabling and disabling a LAG	254
Enabling and disabling LLDP	255
Enabling and disabling QoS priority-based flow control	255
Enabling and disabling FCoE ports	255
Limitations	257
In this chapter	257
General Web Tools limitations	257

Match case Limit results 1 per page

Web Tools Administrator’s Guide

191

53-1002756-01

IPsec concepts

Encapsulating Security Payload

ESP provides authentication, and also provides privacy by encrypting the IP datagram. The use of

an ESP header is similar to the use of the AH header. A hash algorithm is used to calculate an

authentication value, the authentication value is sent in an IP datagram, and the same hash

algorithm is used by the receiver to verify the authentication value. ESP can be used in either

transport mode or tunnel mode, as shown in

Figure 43

FIGURE 43

ESP header in transport mode and tunnel mode

Basic IPsec configurations

There are three basic configurations for IPsec use:

•

Endpoint to Endpoint

•

Gateway to Gateway

•

Endpoint to Gateway

Endpoint to Endpoint

In an endpoint to endpoint configuration, both endpoints implement IPsec. Transport mode is

commonly used in endpoint to endpoint configurations, and only a single pair of addresses is used.

Typically, this kind of configuration would be used for direct communication between hosts. There

are two drawbacks to consider:

•

If network address translation (NAT) is used on the connection, one or both endpoints may be

behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets.

Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT

node.

•

Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and

firewall applications cannot access the packets, and does not work.